@Bean public ResourceServerConfigurer resourceServer(SecurityProperties securityProperties) { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { if (securityProperties.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } http.authorizeRequests() .antMatchers(HttpMethod.POST, "/patients/**").access(hasScopes("phr.hie_write", "registration.write")) .antMatchers(HttpMethod.GET, "/management/**").access(hasScope("registration.management")) .antMatchers(HttpMethod.POST, "/management/**").access(hasScope("registration.management")) .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .anyRequest().denyAll(); } }; }
@Bean public ResourceServerConfigurer resourceServer(SecurityProperties securityProperties) { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { if (securityProperties.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } http.authorizeRequests() // TODO: May add permission for accessing following resource .antMatchers(HttpMethod.POST, "/segmentedDocument/**").permitAll() .antMatchers(HttpMethod.POST, "/validateDocument/**").permitAll() // Security scope for accessing management endpoint .antMatchers(HttpMethod.GET, "/management/**").access(hasScope("dss.management")) .antMatchers(HttpMethod.POST, "/management/**").access(hasScope("dss.management")) .anyRequest().denyAll(); } }; }
@Bean public ResourceServerConfigurer resourceServer(SecurityProperties securityProperties) { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { if (securityProperties.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } http.authorizeRequests() // TODO: May add permission for accessing following resource .antMatchers(HttpMethod.POST, "/policyEnforcement/**").permitAll() // Security scope for accessing management endpoint .antMatchers(HttpMethod.GET, "/management/**").access(hasScope("contextHandler.management")) .antMatchers(HttpMethod.POST, "/management/**").access(hasScope("contextHandler.management")) .anyRequest().denyAll(); } }; }
@Bean public ResourceServerConfigurer resourceServer(SecurityProperties securityProperties) { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { if (securityProperties.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } http.authorizeRequests() .antMatchers(HttpMethod.GET, "/management/**").access(hasScope("patientUser.management")) .antMatchers(HttpMethod.POST, "/management/**").access(hasScope("patientUser.management")) .antMatchers(HttpMethod.GET, "/creations/**").access(hasScopes("patientUser.read", "phr.allPatientProfiles_read", "scim.read")) .antMatchers(HttpMethod.POST, "/creations/**").access(hasScopes("patientUser.write", "phr.allPatientProfiles_read", "scim.write")) .antMatchers(HttpMethod.POST, "/scopeAssignments").access(hasScopes("patientUser.scope_assign")) .antMatchers(HttpMethod.POST, "/activations/**").permitAll() .antMatchers(HttpMethod.GET, "/verifications/**").permitAll() .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .anyRequest().denyAll(); } }; }
@Bean public ResourceServerConfigurer resourceServer(SecurityProperties securityProperties) { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { if (securityProperties.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } http.authorizeRequests() .antMatchers(HttpMethod.GET, "/management/**").access(hasScope("pcm.management")) .antMatchers(HttpMethod.POST, "/management/**").access(hasScope("pcm.management")) // FIXME (#27): Change following method to protect new attest consent endpoint .antMatchers(HttpMethod.GET, "/patients/consents/signConsent/**").access(hasScope("pcm.consent_sign")) // FIXME (#28): Change following method to protect new attest consent revocation endpoint .antMatchers(HttpMethod.GET, "/patients/consents/revokeConsent/**").access(hasScope("pcm.consent_revoke")) .antMatchers(HttpMethod.GET, "/patients/providers/**").access(hasScope("pcm.provider_read")) .antMatchers(HttpMethod.POST, "/patients/providers/**").access(hasScope("pcm.provider_create")) .antMatchers(HttpMethod.DELETE, "/patients/providers/**").access(hasScope("pcm.provider_delete")) .antMatchers(HttpMethod.GET, "/patients/consents/**").access(hasScope("pcm.consent_read")) .antMatchers(HttpMethod.POST, "/patients/consents/**").access(hasScope("pcm.consent_create")) .antMatchers(HttpMethod.PUT, "/patients/consents/**").access(hasScope("pcm.consent_update")) .antMatchers(HttpMethod.DELETE, "/patients/consents/**").access(hasScope("pcm.consent_delete")) .antMatchers(HttpMethod.GET, "/patients/activities/**").access(hasScope("pcm.activity_read")) .antMatchers(HttpMethod.GET, "/patients/clinicaldocuments/**").access(hasScope("pcm.clinicalDocument_read")) .antMatchers(HttpMethod.POST, "/patients/clinicaldocuments/**").access(hasScope("pcm.clinicalDocument_create")) .antMatchers(HttpMethod.DELETE, "/patients/clinicaldocuments/**").access(hasScope("pcm.clinicalDocument_delete")) .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .antMatchers(HttpMethod.GET, "/patients/purposeOfUse", "/patients/medicalSection", "/patients/sensitivityPolicy").authenticated() // TODO (#29)(BU): remove this permission after VSS is separated .antMatchers(HttpMethod.GET, "/lookupService/**").permitAll() .antMatchers(HttpMethod.POST, "/lookupService/**").permitAll() .anyRequest().denyAll(); } }; }
@Bean public ResourceServerConfigurer resourceServer(SecurityProperties securityProperties) { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { if (securityProperties.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } http.authorizeRequests() .antMatchers(HttpMethod.GET, "/patients/healthInformation/**").access("#oauth2.hasScope('phr.hie_read')") .antMatchers(HttpMethod.POST, "/patients/healthInformation/publish").access("#oauth2.hasScope('phr.hie_write')") .antMatchers(HttpMethod.GET, "/patients/pageNumber/**").access("#oauth2.hasScope('phr.allPatients_read')") .antMatchers(HttpMethod.GET, "/patients/patientDemographic/**").access("#oauth2.hasScope('phr.allPatients_read')") .antMatchers(HttpMethod.GET, "/patients/search/**").access("#oauth2.hasScope('phr.allPatients_read')") .antMatchers(HttpMethod.GET, "/patients/*/profile").access("#oauth2.hasScope('phr.allPatientProfiles_read')") .antMatchers(HttpMethod.GET, "/patients/*/patientIdentifier").access("#oauth2.hasScope('phr.allPatientProfiles_read')") .antMatchers(HttpMethod.PUT, "/patients/*").access(hasScopes("phr.AllPatients_write", "phr.hie_write")) .antMatchers(HttpMethod.GET, "/patients").access("#oauth2.hasScope('phr.patient_read')") .antMatchers(HttpMethod.POST, "/patients").access(hasScopes("phr.hie_write", "registration.write")) .antMatchers(HttpMethod.GET, "/statecodes/**").access("#oauth2.hasScope('phr.patient_read')") .antMatchers(HttpMethod.GET, "/management/**").access("#oauth2.hasScope('phr.management')") .antMatchers(HttpMethod.POST, "/management/**").access("#oauth2.hasScope('phr.management')") .antMatchers(HttpMethod.OPTIONS, "/**").permitAll() .anyRequest().denyAll(); } }; }
/** * Resource of api * * @return {@link ResourceServerConfiguration} */ @Bean protected ResourceServerConfiguration adminResources() { ResourceServerConfiguration resource = new ResourceServerConfiguration() { // Switch off the Spring Boot @Autowired configurers public void setConfigurers(List<ResourceServerConfigurer> configurers) { super.setConfigurers(configurers); } }; resource.setConfigurers(Collections.singletonList(new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId(RESOURCE_ID); } @Override public void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers(OPEN_URL).permitAll() .antMatchers(MANAGEMENT_URL).hasAnyAuthority("root", "management") .antMatchers(APP_URL).hasAnyAuthority("root", "management", "app"); } })); resource.setOrder(1); return resource; }
@Bean public ResourceServerConfigurer resourceServerConfigurerAdapter() { return new ResourceServerConfigurerAdapter() { @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources.resourceId("todo"); } @Override public void configure(HttpSecurity http) throws Exception { http.addFilterAfter(new OncePerRequestFilter() { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { // We don't want to allow access to a resource with no token so clear // the security context in case it is actually an OAuth2Authentication if (tokenExtractor.extract(request) == null) { SecurityContextHolder.clearContext(); } filterChain.doFilter(request, response); } }, AbstractPreAuthenticatedProcessingFilter.class); http.csrf().disable(); http.authorizeRequests().anyRequest().authenticated(); } }; }
