From 4d05052e54657d7db7b836f5d441f473a367f672 Mon Sep 17 00:00:00 2001 From: kavya aerala Date: Thu, 12 Jun 2025 12:32:55 +0530 Subject: [PATCH] cors security added --- .../bankaudit/jwthelper/JwtTokenFilter.java | 169 +++++++++--------- .../bankaudit/security/SecurityConfig.java | 40 +++++ 2 files changed, 121 insertions(+), 88 deletions(-) create mode 100644 baasDOSLcl/src/main/java/com/bankaudit/security/SecurityConfig.java diff --git a/baasDOSLcl/src/main/java/com/bankaudit/jwthelper/JwtTokenFilter.java b/baasDOSLcl/src/main/java/com/bankaudit/jwthelper/JwtTokenFilter.java index b4212e2..28f124e 100644 --- a/baasDOSLcl/src/main/java/com/bankaudit/jwthelper/JwtTokenFilter.java +++ b/baasDOSLcl/src/main/java/com/bankaudit/jwthelper/JwtTokenFilter.java @@ -7,7 +7,6 @@ import com.bankaudit.repository.UserRepository; import com.bankaudit.repository.UserSessionRepository; import com.fasterxml.jackson.databind.ObjectMapper; - import org.springframework.beans.factory.annotation.Value; import org.springframework.http.HttpStatus; import org.springframework.stereotype.Component; @@ -36,104 +35,98 @@ public class JwtTokenFilter extends OncePerRequestFilter { @Value("${isdev}") private boolean isDev; private final AntPathMatcher pathMatcher = new AntPathMatcher(); - private final List excludedEndpoints = Arrays.asList("/api/user/healthCheck", "/api/user/login","/swagger-ui.html", - "/swagger-ui/**", "/v3/api-docs/**","/v2/api-docs/**", "/swagger-resources/**", "/webjars/**","/api/swagger-ui.html", - "/api/swagger-ui/**", "/api/v3/api-docs/**","/api/v2/api-docs/**", "/api/swagger-resources/**", "/api/webjars/**", - "/api/users/forgot-password", "/api/users/validate-otp", "/api/roles","/api/user/validateUserWithIdandMobile","/api/user/validateToken","/api/user/resetPassword"); + private final List excludedEndpoints = Arrays.asList("/api/user/healthCheck", "/api/user/login", + "/swagger-ui.html", + "/swagger-ui/**", "/v3/api-docs/**", "/v2/api-docs/**", "/swagger-resources/**", "/webjars/**", + "/api/swagger-ui.html", + "/api/swagger-ui/**", "/api/v3/api-docs/**", "/api/v2/api-docs/**", "/api/swagger-resources/**", + "/api/webjars/**", + "/api/users/forgot-password", "/api/users/validate-otp", "/api/roles", + "/api/user/validateUserWithIdandMobile", "/api/user/validateToken", "/api/user/resetPassword"); @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { String requestPath; requestPath = request.getRequestURI().substring(request.getContextPath().length()); - - response.setHeader("Access-Control-Allow-Origin", "*"); - response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT"); - response.setHeader("Access-Control-Max-Age", "3600"); - if ("OPTIONS".equals(request.getMethod())) { - response.setStatus(HttpServletResponse.SC_OK); + if (isExcludedEndpoint(requestPath)) { + filterChain.doFilter(request, response); return; - } else { - if (isExcludedEndpoint(requestPath)) { + } + + String authorizationHeader = request.getHeader("Authorization"); + + if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) { + response.setStatus(HttpStatus.UNAUTHORIZED.value()); + response.getWriter().write("Authorization header is missing or invalid"); + return; + } + String token = authorizationHeader.substring(7); + MaintLegalEntity maintLegalEntity = DomainUtil.getLegalEntityCodeByDomain(request.getHeader("Host")); + + if (!JwtTokenUtil.validateJwt(token, maintLegalEntity)) { + String message = "Your session has expired please re-login again"; + Map responseMap = new HashMap<>(); + response.setStatus(HttpStatus.UNAUTHORIZED.value()); + responseMap.put("success", false); + responseMap.put("message", message); + ObjectMapper objectMapper = new ObjectMapper(); + String jsonResponse = objectMapper.writeValueAsString(responseMap); + response.getWriter().write(jsonResponse); + response.setContentType("application/json"); + response.setCharacterEncoding("UTF-8"); + return; + } + String userId = JwtTokenUtil.getUserIdFromJwt(token); + String legalEntityCode = JwtTokenUtil.getLeCodeFromJwt(token); + UserSession userDetails = userSessionRepository.findByUserIdAndLegalEntityCode(userId, + Integer.parseInt(legalEntityCode)); + + if (JwtTokenUtil.getUserIdFromJwt(token) == null || userDetails == null) { + String message = "Not a valid session"; + response.setStatus(HttpStatus.UNAUTHORIZED.value()); + Map responseMap = new HashMap<>(); + responseMap.put("success", false); + responseMap.put("message", message); + ObjectMapper objectMapper = new ObjectMapper(); + String jsonResponse = objectMapper.writeValueAsString(responseMap); + response.getWriter().write(jsonResponse); + response.setContentType("application/json"); + response.setCharacterEncoding("UTF-8"); + return; + } + if (AuthorizationHelper.isToBeAuthorizedEndpointWithTemporaryToken(requestPath)) { + if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId)) { + String message = "Not a valid session"; + response.setStatus(HttpStatus.UNAUTHORIZED.value()); + Map responseMap = new HashMap<>(); + responseMap.put("success", false); + responseMap.put("message", message); + ObjectMapper objectMapper = new ObjectMapper(); + String jsonResponse = objectMapper.writeValueAsString(responseMap); + response.getWriter().write(jsonResponse); + response.setContentType("application/json"); + response.setCharacterEncoding("UTF-8"); + return; + } else { filterChain.doFilter(request, response); return; } - - String authorizationHeader = request.getHeader("Authorization"); - - if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) { - response.setStatus(HttpStatus.UNAUTHORIZED.value()); - response.getWriter().write("Authorization header is missing or invalid"); - return; - } - String token = authorizationHeader.substring(7); - MaintLegalEntity maintLegalEntity = DomainUtil.getLegalEntityCodeByDomain(request.getHeader("Host")); - - if (!JwtTokenUtil.validateJwt(token, maintLegalEntity)) { - String message = "Your session has expired please re-login again"; - Map responseMap = new HashMap<>(); - response.setStatus(HttpStatus.UNAUTHORIZED.value()); - responseMap.put("success", false); - responseMap.put("message", message); - ObjectMapper objectMapper = new ObjectMapper(); - String jsonResponse = objectMapper.writeValueAsString(responseMap); - response.getWriter().write(jsonResponse); - response.setContentType("application/json"); - response.setCharacterEncoding("UTF-8"); - return; - } - String userId = JwtTokenUtil.getUserIdFromJwt(token); - String legalEntityCode = JwtTokenUtil.getLeCodeFromJwt(token); - UserSession userDetails = userSessionRepository.findByUserIdAndLegalEntityCode(userId, Integer.parseInt(legalEntityCode)); - - if (JwtTokenUtil.getUserIdFromJwt(token) == null || userDetails == null) { - String message = "Not a valid session"; - response.setStatus(HttpStatus.UNAUTHORIZED.value()); - Map responseMap = new HashMap<>(); - responseMap.put("success", false); - responseMap.put("message", message); - ObjectMapper objectMapper = new ObjectMapper(); - String jsonResponse = objectMapper.writeValueAsString(responseMap); - response.getWriter().write(jsonResponse); - response.setContentType("application/json"); - response.setCharacterEncoding("UTF-8"); - return; - } - if(AuthorizationHelper.isToBeAuthorizedEndpointWithTemporaryToken(requestPath)){ - if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId)) { - String message = "Not a valid session"; - response.setStatus(HttpStatus.UNAUTHORIZED.value()); - Map responseMap = new HashMap<>(); - responseMap.put("success", false); - responseMap.put("message", message); - ObjectMapper objectMapper = new ObjectMapper(); - String jsonResponse = objectMapper.writeValueAsString(responseMap); - response.getWriter().write(jsonResponse); - response.setContentType("application/json"); - response.setCharacterEncoding("UTF-8"); - return; - }else{ - filterChain.doFilter(request, response); - return; - } - } - if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId) || !token.equals(userDetails.getToken())) { - String message = "Not a valid session"; - response.setStatus(HttpStatus.UNAUTHORIZED.value()); - Map responseMap = new HashMap<>(); - responseMap.put("success", false); - responseMap.put("message", message); - ObjectMapper objectMapper = new ObjectMapper(); - String jsonResponse = objectMapper.writeValueAsString(responseMap); - response.getWriter().write(jsonResponse); - response.setContentType("application/json"); - response.setCharacterEncoding("UTF-8"); - return; - } - - - filterChain.doFilter(request, response); } + if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId) || !token.equals(userDetails.getToken())) { + String message = "Not a valid session"; + response.setStatus(HttpStatus.UNAUTHORIZED.value()); + Map responseMap = new HashMap<>(); + responseMap.put("success", false); + responseMap.put("message", message); + ObjectMapper objectMapper = new ObjectMapper(); + String jsonResponse = objectMapper.writeValueAsString(responseMap); + response.getWriter().write(jsonResponse); + response.setContentType("application/json"); + response.setCharacterEncoding("UTF-8"); + return; + } + filterChain.doFilter(request, response); } diff --git a/baasDOSLcl/src/main/java/com/bankaudit/security/SecurityConfig.java b/baasDOSLcl/src/main/java/com/bankaudit/security/SecurityConfig.java new file mode 100644 index 0000000..4e80613 --- /dev/null +++ b/baasDOSLcl/src/main/java/com/bankaudit/security/SecurityConfig.java @@ -0,0 +1,40 @@ +package com.bankaudit.security; + +import java.util.List; + +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.web.SecurityFilterChain; +import org.springframework.web.cors.CorsConfiguration; +import org.springframework.web.cors.CorsConfigurationSource; +import org.springframework.web.cors.UrlBasedCorsConfigurationSource; + +@Configuration +public class SecurityConfig { + + @Bean + public CorsConfigurationSource corsConfigurationSource() { + CorsConfiguration config = new CorsConfiguration(); + config.setAllowedOriginPatterns(List.of("http://localhost:4200","https://openledger-sit.finakon.in")); // Don't use "*" with credentials + config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS")); + config.setAllowedHeaders(List.of("*")); + config.setAllowCredentials(true); // Important if Authorization header is used + + UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); + source.registerCorsConfiguration("/**", config); + return source; + } + + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http + .cors().and() + .csrf().disable() + .authorizeRequests() + .anyRequest().permitAll(); // or restrict specific endpoints + return http.build(); + } + + +}