Skip to content
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 35 additions & 7 deletions src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -85,14 +85,42 @@ protected void configure(HttpSecurity http) throws Exception {
.addFilterAfter(googleOpenIdConnectFilter(), OAuth2ClientContextFilter.class)
.addFilterAfter(microsoftOpenIdConnectFilter(), OAuth2ClientContextFilter.class)
.addFilterAfter(authenticationProcessingFilter(), GoogleOpenIdConnectFilter.class)
.authorizeRequests().antMatchers("/api/login/impersonate")
.hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/admin/**")
.hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/author/**").hasAnyRole("TEACHER")
.authorizeRequests()
// Static assets served by the resource handlers configured in WebConfig are public
// content (portal scripts, themes and translations, the runtime engine, project
// files and project icons). They must stay reachable without signing in, now that
// unmatched requests are denied by default, otherwise the login and public preview
// pages would fail to load their assets. Student uploaded files are intentionally
// excluded so they continue to require authentication.
.antMatchers("/pages/resources/**", "/portal/javascript/**", "/portal/themes/**",
"/portal/translate/**", "/vle/**", "/curriculum/**", "/projectIcons/**").permitAll()
.antMatchers("/api/login/impersonate").hasAnyRole("ADMINISTRATOR", "RESEARCHER")
.antMatchers("/admin/**").hasAnyRole("ADMINISTRATOR", "RESEARCHER")
.antMatchers("/author/**").hasAnyRole("TEACHER")
.antMatchers("/project/notifyAuthor*/**").hasAnyRole("TEACHER")
.antMatchers("/student/account/info").hasAnyRole("TEACHER").antMatchers("/student/**")
.hasAnyRole("STUDENT").antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/teacher/**").hasAnyRole("TEACHER").antMatchers("/sso/discourse")
.hasAnyRole("TEACHER", "STUDENT").antMatchers("/").permitAll();
.antMatchers("/student/account/info").hasAnyRole("TEACHER")
.antMatchers("/student/**").hasAnyRole("STUDENT")
.antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/teacher/**").hasAnyRole("TEACHER")
.antMatchers("/sso/discourse").hasAnyRole("TEACHER", "STUDENT")
// Endpoints that must stay reachable without authentication: sign-in and its
// OAuth callbacks, account registration, account and password recovery, the
// contact form, the public home, news, library and preview content, and the
// application bootstrap configuration. Every request that does not match a rule
// above falls through to the final rule and now requires authentication, rather
// than being permitted by default.
.antMatchers("/", "/login", "/login/**", "/errors/**", "/run-survey/**",
"/previewproject.html").permitAll()
.antMatchers("/api/j_acegi_security_check", "/api/google-login", "/api/microsoft-login",
"/api/logout").permitAll()
.antMatchers("/api/student/register", "/api/student/register/questions",
"/api/teacher/register", "/api/contact").permitAll()
.antMatchers("/api/student/forgot/**", "/api/teacher/forgot/**").permitAll()
.antMatchers("/api/user/config", "/api/user/info", "/api/user/languages",
"/api/announcement", "/api/news", "/api/project/library", "/api/project/community",
"/api/config/vle", "/api/config/preview/**", "/api/run/info", "/api/runInfo",
"/api/session/renew", "/api/google-user/check-user-exists").permitAll()
.anyRequest().authenticated();
http.formLogin().loginPage("/login").permitAll();
http.logout().addLogoutHandler(wiseLogoutHandler())
.logoutRequestMatcher(new AntPathRequestMatcher("/api/logout"));
Expand Down