summaryrefslogtreecommitdiffhomepage
path: root/src/main/java/com/blog/web/security/SecurityConfig.java
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/java/com/blog/web/security/SecurityConfig.java')
-rw-r--r--src/main/java/com/blog/web/security/SecurityConfig.java38
1 files changed, 38 insertions, 0 deletions
diff --git a/src/main/java/com/blog/web/security/SecurityConfig.java b/src/main/java/com/blog/web/security/SecurityConfig.java
new file mode 100644
index 0000000..1471d0f
--- /dev/null
+++ b/src/main/java/com/blog/web/security/SecurityConfig.java
@@ -0,0 +1,38 @@
+package com.blog.web.security;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity(securedEnabled = true)
+public class SecurityConfig {
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ // disabling csrf leaves us vulnerable, in a real production app do not do this
+ http.csrf(c -> c.disable())
+ .cors(c -> c.disable())
+ .authorizeHttpRequests( auths -> auths
+ .requestMatchers("/login", "/register", "/articles", "/css/**", "/js/**")
+ .permitAll()
+ )
+ .formLogin(form -> form
+ .loginPage("/login")
+ .usernameParameter("username")
+ .passwordParameter("password")
+ .defaultSuccessUrl("/articles")
+ .loginProcessingUrl("/login")
+ .failureUrl("/login?error=true")
+ .permitAll()
+ ).logout(
+ logout -> logout
+ .logoutUrl("/logout")
+ .logoutSuccessUrl("/articles"));
+ return http.build();
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-15 21:09:07 +0000