feat(security): creado SecurityConfig para controlar autorización según roles y autenticación

b00730b7 · Alba María Álvarez · 87efc5f6 · b00730b7
Commit b00730b7 authored Jun 19, 2025 by Alba María Álvarez
Showing with 25 additions and 9 deletions
src/main/java/com/example/apprecetas/user/infrastructure/config/SecurityConfig.java → src/main/java/com/example/apprecetas/security/config/SecurityConfig.java
--- a/src/main/java/com/example/apprecetas/user/infrastructure/config/SecurityConfig.java
+++ b/src/main/java/com/example/apprecetas/user/infrastructure/config/SecurityConfig.java
-package com.example.apprecetas.user.infrastructure.config;
+package com.example.apprecetas.security.config;

+import com.example.apprecetas.security.jwt.JwtAuthFilter;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
-import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

+@EnableWebSecurity
 @Configuration
+@RequiredArgsConstructor
 public class SecurityConfig {

-    @Bean
-    public PasswordEncoder passwordEncoder() {
-        return new BCryptPasswordEncoder();
-    }
+    private final JwtAuthFilter jwtAuthFilter;
+
+    private final CustomAuthenticationEntryPoint authenticationEntryPoint;

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(AbstractHttpConfigurer::disable)
                .headers(AbstractHttpConfigurer::disable)  // necesario para h2-console
-                .sessionManagement(AbstractHttpConfigurer::disable)
                .httpBasic(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(request -> request
-                        .anyRequest().permitAll()      // permite TODO sin autenticación
+                        .requestMatchers("/auth/**").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/user").hasRole("ADMIN")
+                        .anyRequest().authenticated()
                )
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
+                .exceptionHandling(ex -> ex.authenticationEntryPoint(authenticationEntryPoint))
                .build();
    }

+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
+        return authConfig.getAuthenticationManager();
+    }
+
 }