diff --git a/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java b/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java
index c23f236e..177bb475 100644
--- a/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java
+++ b/src/main/java/ch/ethz/seb/sebserver/WebSecurityConfig.java
@@ -40,9 +40,6 @@ import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
@Order(7)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements ErrorController {
- private static final String ERROR_PATH = "/sebserver/error";
- private static final String CHECK_PATH = "/sebserver/check";
-
@Value("${sebserver.webservice.http.redirect.gui}")
private String guiRedirect;
@Value("${sebserver.webservice.api.exam.endpoint.discovery}")
@@ -77,23 +74,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements E
return new BCryptPasswordEncoder(4);
}
- @Override
- public void configure(final WebSecurity web) {
- web
- .ignoring()
- .antMatchers(ERROR_PATH)
- .antMatchers(CHECK_PATH)
- .antMatchers(this.examAPIDiscoveryEndpoint)
- .antMatchers(this.adminAPIEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**")
- .antMatchers(this.adminAPIEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**")
- .antMatchers(this.adminAPIEndpoint + API.REGISTER_ENDPOINT);
- }
-
- @RequestMapping(CHECK_PATH)
+ @RequestMapping(API.CHECK_PATH)
public void check() throws IOException {
}
- @RequestMapping(ERROR_PATH)
+ @RequestMapping(API.ERROR_PATH)
public void handleError(final HttpServletResponse response) throws IOException {
response.getOutputStream().print(response.getStatus());
response.setHeader(HttpHeaders.LOCATION, this.guiRedirect);
diff --git a/src/main/java/ch/ethz/seb/sebserver/gui/GuiWebsecurityConfig.java b/src/main/java/ch/ethz/seb/sebserver/gui/GuiWebsecurityConfig.java
index caacff0c..8ff2351e 100644
--- a/src/main/java/ch/ethz/seb/sebserver/gui/GuiWebsecurityConfig.java
+++ b/src/main/java/ch/ethz/seb/sebserver/gui/GuiWebsecurityConfig.java
@@ -42,6 +42,10 @@ public class GuiWebsecurityConfig extends WebSecurityConfigurerAdapter {
private String remoteProctoringViewServletEndpoint;
@Value("${springdoc.api-docs.enabled:false}")
private boolean springDocsAPIEnabled;
+ @Value("${sebserver.webservice.api.exam.endpoint.discovery}")
+ private String examAPIDiscoveryEndpoint;
+ @Value("${sebserver.webservice.api.admin.endpoint}")
+ private String adminAPIEndpoint;
/** Gui-service related public URLS from spring web security perspective */
public static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher(
@@ -52,28 +56,40 @@ public class GuiWebsecurityConfig extends WebSecurityConfigurerAdapter {
// project specific static resources
new AntPathRequestMatcher("/images/**"),
- new AntPathRequestMatcher("/favicon.ico"));
+ new AntPathRequestMatcher("/favicon.ico")
+ );
@Override
public void configure(final WebSecurity web) {
web
- .ignoring()
- .requestMatchers(PUBLIC_URLS)
- .antMatchers(this.guiEntryPoint)
- .antMatchers(this.remoteProctoringEndpoint)
- .antMatchers(this.remoteProctoringEndpoint + this.remoteProctoringViewServletEndpoint + "/*");
+ .ignoring()
+ .antMatchers(this.guiEntryPoint)
+ ;
if (this.springDocsAPIEnabled) {
web.ignoring().antMatchers("/swagger-ui.html", "/swagger-ui/**", "/v3/api-docs/**");
}
}
+
+
@Override
public void configure(final HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
+ .authorizeRequests()
+ .antMatchers(this.remoteProctoringEndpoint).permitAll()
+ .antMatchers(this.remoteProctoringEndpoint + this.remoteProctoringViewServletEndpoint + "/*").permitAll()
+ .requestMatchers(PUBLIC_URLS).permitAll()
+ .antMatchers(API.ERROR_PATH).permitAll()
+ .antMatchers(API.CHECK_PATH).permitAll()
+ .antMatchers(this.examAPIDiscoveryEndpoint).permitAll()
+ .antMatchers(adminAPIEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**").permitAll()
+ .antMatchers(adminAPIEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**").permitAll()
+ .antMatchers(adminAPIEndpoint + API.REGISTER_ENDPOINT).permitAll()
+ .and()
.antMatcher("/**")
.authorizeRequests()
.anyRequest()
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/WebServiceSecurityConfig.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/WebServiceSecurityConfig.java
index 76993e77..0624fdb9 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/WebServiceSecurityConfig.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/WebServiceSecurityConfig.java
@@ -13,6 +13,7 @@ import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import ch.ethz.seb.sebserver.gbl.api.API;
import org.apache.catalina.filters.RemoteIpFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -50,18 +51,18 @@ import ch.ethz.seb.sebserver.webservice.weblayer.oauth.WebClientDetailsService;
import ch.ethz.seb.sebserver.webservice.weblayer.oauth.WebserviceResourceConfiguration;
/** This is the main web-security Spring configuration for SEB-Server webservice API
- *
+ *
* Currently two separated Rest API's are implemented, one for administration and maintenance
* of the SEB-Server (AdminAPI) and one for SEB-Client connection on running exams and eventually
* also for LMS communication), if needed (ExamAPI). The AdministrationAPI uses OAuth 2 password
* grant with refresh-token, same as in the prototype and the ExamAPI uses the client_credential grant.
- *
+ *
* There is a Spring Authorization-Server defining this two clients (AdminAPIClient and ExamAPIClient) as well as
* two Spring Resource-Server for the separation of the different API's
- *
+ *
* The endpoint of the AdministrationAPI can be configured within the key; sebserver.webservice.api.admin.endpoint
* and is by default set to "/admin-api/**"
- *
+ *
* The endpoint of the ExamAPI can be configured within the key; sebserver.webservice.api.exam.endpoint
* and is by default set to "/exam-api/**" */
@WebServiceProfile
diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/oauth/WebserviceResourceConfiguration.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/oauth/WebserviceResourceConfiguration.java
index f7e70ad2..5957467b 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/oauth/WebserviceResourceConfiguration.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/oauth/WebserviceResourceConfiguration.java
@@ -11,6 +11,8 @@ package ch.ethz.seb.sebserver.webservice.weblayer.oauth;
import java.util.Arrays;
import java.util.List;
+import ch.ethz.seb.sebserver.gbl.api.API;
+import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
@@ -30,6 +32,8 @@ public abstract class WebserviceResourceConfiguration extends ResourceServerConf
public static final String ADMIN_API_RESOURCE_ID = "seb-server-administration-api";
/** The resource identifier of the Exam API resources */
public static final String EXAM_API_RESOURCE_ID = "seb-server-exam-api";
+ @Value("${sebserver.webservice.api.exam.endpoint.discovery}")
+ private String examAPIDiscoveryEndpoint;
public WebserviceResourceConfiguration(
final TokenStore tokenStore,
@@ -74,6 +78,14 @@ public abstract class WebserviceResourceConfiguration extends ResourceServerConf
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
+ .authorizeRequests()
+ .antMatchers(API.ERROR_PATH).permitAll()
+ .antMatchers(API.CHECK_PATH).permitAll()
+ .antMatchers(this.examAPIDiscoveryEndpoint).permitAll()
+ .antMatchers(configurerAdapter.apiEndpoint + API.INFO_ENDPOINT + API.LOGO_PATH_SEGMENT + "/**").permitAll()
+ .antMatchers(configurerAdapter.apiEndpoint + API.INFO_ENDPOINT + API.INFO_INST_PATH_SEGMENT + "/**").permitAll()
+ .antMatchers(configurerAdapter.apiEndpoint + API.REGISTER_ENDPOINT).permitAll()
+ .and()
.antMatcher(configurerAdapter.apiEndpoint + "/**")
.authorizeRequests()
.anyRequest()