сдана 6

2023-05-15 16:04:43 +04:00 · 2023-05-15 16:04:43 +04:00 · 0a86d54ff6
commit 0a86d54ff6
parent 5bfc441e59
7 changed files with 84 additions and 36 deletions
--- a/demo/src/main/java/com/example/demo/configuration/SecurityConfiguration.java
+++ b/demo/src/main/java/com/example/demo/configuration/SecurityConfiguration.java
@ -16,7 +16,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur

@Configuration
@EnableWebSecurity
-@EnableGlobalMethodSecurity(securedEnabled = true)
+@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    private final Logger log = LoggerFactory.getLogger(SecurityConfiguration.class);
    private static final String LOGIN_URL = "/login";
--- a/demo/src/main/java/com/example/demo/supply/Order/OrderMvcController.java
+++ b/demo/src/main/java/com/example/demo/supply/Order/OrderMvcController.java
@ -4,6 +4,8 @@ import com.example.demo.supply.Product.ProductDto;
 import com.example.demo.supply.Product.ProductService;
 import com.example.demo.supply.Supplier.SupplierDto;
 import com.example.demo.supply.Supplier.SupplierService;
+import com.example.demo.supply.User.UserRole;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
@ -55,6 +57,7 @@ public class OrderMvcController {
    }

    @GetMapping("/add")
+    @Secured({UserRole.AsString.ADMIN})
    public String addOrder(Model model) {
        model.addAttribute("orderDto", new OrderDtoForCreate());
        model.addAttribute("selectedSupplier", null);
@ -64,6 +67,7 @@ public class OrderMvcController {
    }

    @PostMapping("/create")
+    @Secured({UserRole.AsString.ADMIN})
    public String saveOrder(Model model,
                            @ModelAttribute("orderDto") @Valid OrderDtoForCreate order,
                            BindingResult bindingResult) {
--- a/demo/src/main/java/com/example/demo/supply/Product/ProductMvcController.java
+++ b/demo/src/main/java/com/example/demo/supply/Product/ProductMvcController.java
@ -1,11 +1,16 @@
 package com.example.demo.supply.Product;

+import com.example.demo.supply.User.UserRole;
+import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.*;

 import javax.validation.Valid;
+import java.security.Principal;

@Controller
@RequestMapping("/product")
@ -25,7 +30,9 @@ public class ProductMvcController {

    @GetMapping(value = {"/edit", "/edit/{id}"})
    public String editProduct(@PathVariable(required = false) Long id,
-                              Model model) {
+                              Model model, Principal principal) {
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
            if (id == null || id <= 0) {
                model.addAttribute("productDto", new ProductDto());
            } else {
@ -34,12 +41,17 @@ public class ProductMvcController {
            }
            return "product-edit";
        }
+        else return "redirect:/product";
+    }

    @PostMapping(value = {"", "/{id}"})
    public String saveProduct(@PathVariable(required = false) Long id,
                              @ModelAttribute @Valid ProductDto productDto,
                              BindingResult bindingResult,
-                              Model model) {
+                              Model model,
+                              Principal principal) {
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
            if (bindingResult.hasErrors()) {
                model.addAttribute("errors", bindingResult.getAllErrors());
                return "product-edit";
@ -51,10 +63,16 @@ public class ProductMvcController {
            }
            return "redirect:/product";
        }
+        else return "redirect:/product";
+    }

    @PostMapping("/delete/{id}")
-    public String deleteProduct(@PathVariable Long id) {
+    public String deleteProduct(@PathVariable Long id, Principal principal) {
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
            productService.deleteProduct(id);
            return "redirect:/product";
        }
+        else return "redirect:/product";
+    }
 }
--- a/demo/src/main/java/com/example/demo/supply/User/UserMvcController.java
+++ b/demo/src/main/java/com/example/demo/supply/User/UserMvcController.java
@ -2,6 +2,7 @@ package com.example.demo.supply.User;

 import org.springframework.data.domain.Page;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
@ -9,6 +10,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;


+import java.security.Principal;
 import java.util.List;
 import java.util.stream.IntStream;

@ -22,10 +24,12 @@ public class UserMvcController {
    }

    @GetMapping
-    @Secured({UserRole.AsString.ADMIN})
    public String getUsers(@RequestParam(defaultValue = "1") int page,
                           @RequestParam(defaultValue = "5") int size,
-                           Model model) {
+                           Model model, Principal principal) {
+
+        String roleName = ((Authentication)principal).getAuthorities().toArray()[0].toString();
+        if(UserRole.ADMIN.toString().equals(roleName)) {
            final Page<UserDto> users = userService.findAllPages(page, size)
                    .map(UserDto::new);
            model.addAttribute("users", users);
@ -37,4 +41,9 @@ public class UserMvcController {
            model.addAttribute("totalPages", totalPages);
            return "users";
        }
+        else{
+            model.addAttribute("error", "Доступ запрещен");
+            return "error";
+        }
+    }
 }
--- a/demo/src/main/resources/templates/default.html
+++ b/demo/src/main/resources/templates/default.html
@ -42,6 +42,7 @@
                <a class="nav-link" href="/logout">
                    Выход (<span th:text="${#authentication.name}"></span>)
                </a>
+
            </ul>
        </div>
    </div>
--- a/demo/src/main/resources/templates/error.html
+++ b/demo/src/main/resources/templates/error.html
@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      xmlns:th="http://www.thymeleaf.org"
+      layout:decorate="~{default}">
+<body>
+<div class="container" layout:fragment="content">
+    <div class="alert alert-danger">
+        <span th:text="${error}"></span>
+    </div>
+    <a href="/">На главную</a>
+</div>
+</body>
+</html>
--- a/demo/src/main/resources/templates/product.html
+++ b/demo/src/main/resources/templates/product.html
@ -1,6 +1,8 @@
 <!DOCTYPE html>
 <html lang="en"
-      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" xmlns:th="http://www.thymeleaf.org"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity6"
+      xmlns:th="http://www.thymeleaf.org"
      layout:decorate="~{default}">
 <head>
 </head>