DineshV/OPENLEDGER-BE
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cors security added

Browse Source
This commit is contained in:
kavya aerala 2025-06-12 12:32:55 +05:30
parent 7ef8798d2e
commit 4d05052e54
2 changed files with 121 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
baasDOSLcl/src/main/java/com/bankaudit/jwthelper/JwtTokenFilter.java
View File

@ -7,7 +7,6 @@ import com.bankaudit.repository.UserRepository;
import com.bankaudit.repository.UserSessionRepository; import com.bankaudit.repository.UserSessionRepository;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
@ -36,104 +35,98 @@ public class JwtTokenFilter extends OncePerRequestFilter {
@Value("${isdev}") @Value("${isdev}")
private boolean isDev; private boolean isDev;
private final AntPathMatcher pathMatcher = new AntPathMatcher(); private final AntPathMatcher pathMatcher = new AntPathMatcher();
private final List<String> excludedEndpoints = Arrays.asList("/api/user/healthCheck", "/api/user/login","/swagger-ui.html", private final List<String> excludedEndpoints = Arrays.asList("/api/user/healthCheck", "/api/user/login",
"/swagger-ui/**", "/v3/api-docs/**","/v2/api-docs/**", "/swagger-resources/**", "/webjars/**","/api/swagger-ui.html", "/swagger-ui.html",
"/api/swagger-ui/**", "/api/v3/api-docs/**","/api/v2/api-docs/**", "/api/swagger-resources/**", "/api/webjars/**", "/swagger-ui/**", "/v3/api-docs/**", "/v2/api-docs/**", "/swagger-resources/**", "/webjars/**",
"/api/users/forgot-password", "/api/users/validate-otp", "/api/roles","/api/user/validateUserWithIdandMobile","/api/user/validateToken","/api/user/resetPassword"); "/api/swagger-ui.html",
"/api/swagger-ui/**", "/api/v3/api-docs/**", "/api/v2/api-docs/**", "/api/swagger-resources/**",
"/api/webjars/**",
"/api/users/forgot-password", "/api/users/validate-otp", "/api/roles",
"/api/user/validateUserWithIdandMobile", "/api/user/validateToken", "/api/user/resetPassword");
@Override @Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException { throws ServletException, IOException {
String requestPath; String requestPath;
requestPath = request.getRequestURI().substring(request.getContextPath().length()); requestPath = request.getRequestURI().substring(request.getContextPath().length());
if (isExcludedEndpoint(requestPath)) {
response.setHeader("Access-Control-Allow-Origin", "*"); filterChain.doFilter(request, response);
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, PUT");
response.setHeader("Access-Control-Max-Age", "3600");
if ("OPTIONS".equals(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
return; return;
} else { }
if (isExcludedEndpoint(requestPath)) {
String authorizationHeader = request.getHeader("Authorization");
if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.getWriter().write("Authorization header is missing or invalid");
return;
}
String token = authorizationHeader.substring(7);
MaintLegalEntity maintLegalEntity = DomainUtil.getLegalEntityCodeByDomain(request.getHeader("Host"));
if (!JwtTokenUtil.validateJwt(token, maintLegalEntity)) {
String message = "Your session has expired please re-login again";
Map<String, Object> responseMap = new HashMap<>();
response.setStatus(HttpStatus.UNAUTHORIZED.value());
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
}
String userId = JwtTokenUtil.getUserIdFromJwt(token);
String legalEntityCode = JwtTokenUtil.getLeCodeFromJwt(token);
UserSession userDetails = userSessionRepository.findByUserIdAndLegalEntityCode(userId,
Integer.parseInt(legalEntityCode));
if (JwtTokenUtil.getUserIdFromJwt(token) == null || userDetails == null) {
String message = "Not a valid session";
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> responseMap = new HashMap<>();
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
}
if (AuthorizationHelper.isToBeAuthorizedEndpointWithTemporaryToken(requestPath)) {
if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId)) {
String message = "Not a valid session";
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> responseMap = new HashMap<>();
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
} else {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
return; return;
} }
String authorizationHeader = request.getHeader("Authorization");
if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.getWriter().write("Authorization header is missing or invalid");
return;
}
String token = authorizationHeader.substring(7);
MaintLegalEntity maintLegalEntity = DomainUtil.getLegalEntityCodeByDomain(request.getHeader("Host"));
if (!JwtTokenUtil.validateJwt(token, maintLegalEntity)) {
String message = "Your session has expired please re-login again";
Map<String, Object> responseMap = new HashMap<>();
response.setStatus(HttpStatus.UNAUTHORIZED.value());
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
}
String userId = JwtTokenUtil.getUserIdFromJwt(token);
String legalEntityCode = JwtTokenUtil.getLeCodeFromJwt(token);
UserSession userDetails = userSessionRepository.findByUserIdAndLegalEntityCode(userId, Integer.parseInt(legalEntityCode));
if (JwtTokenUtil.getUserIdFromJwt(token) == null || userDetails == null) {
String message = "Not a valid session";
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> responseMap = new HashMap<>();
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
}
if(AuthorizationHelper.isToBeAuthorizedEndpointWithTemporaryToken(requestPath)){
if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId)) {
String message = "Not a valid session";
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> responseMap = new HashMap<>();
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
}else{
filterChain.doFilter(request, response);
return;
}
}
if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId) || !token.equals(userDetails.getToken())) {
String message = "Not a valid session";
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> responseMap = new HashMap<>();
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
}
filterChain.doFilter(request, response);
} }
if (!JwtTokenUtil.getUserIdFromJwt(token).equals(userId) || !token.equals(userDetails.getToken())) {
String message = "Not a valid session";
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> responseMap = new HashMap<>();
responseMap.put("success", false);
responseMap.put("message", message);
ObjectMapper objectMapper = new ObjectMapper();
String jsonResponse = objectMapper.writeValueAsString(responseMap);
response.getWriter().write(jsonResponse);
response.setContentType("application/json");
response.setCharacterEncoding("UTF-8");
return;
}
filterChain.doFilter(request, response);
} }

40
baasDOSLcl/src/main/java/com/bankaudit/security/SecurityConfig.java Normal file
View File

@ -0,0 +1,40 @@
package com.bankaudit.security;
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@Configuration
public class SecurityConfig {
@Bean
public CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOriginPatterns(List.of("http://localhost:4200","https://openledger-sit.finakon.in")); // Don't use "*" with credentials
config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
config.setAllowedHeaders(List.of("*"));
config.setAllowCredentials(true); // Important if Authorization header is used
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", config);
return source;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.cors().and()
.csrf().disable()
.authorizeRequests()
.anyRequest().permitAll(); // or restrict specific endpoints
return http.build();
}
}