dev en cours

src/main/java/fr/triplea/demovote/security/CorsFilter.java

@@ -0,0 +1,52 @@
+package fr.triplea.demovote.security;
+
+import java.io.IOException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.annotation.Order;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.annotation.WebFilter;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+@WebFilter("/*")
+@Order(2)
+public class CorsFilter implements Filter 
+{
+  
+  private final Logger LOG = LoggerFactory.getLogger(CorsFilter.class);
+
+  public CorsFilter() { LOG.info("CorsFilter Init"); }
+
+  @Override
+  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException
+  {
+
+    HttpServletRequest request = (HttpServletRequest) req;
+    HttpServletResponse response = (HttpServletResponse) res;
+
+    response.setHeader("Access-Control-Allow-Origin", "https://localhost:4200");
+    response.setHeader("Access-Control-Allow-Credentials", "true");
+    response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS, DELETE");
+    response.setHeader("Access-Control-Max-Age", "3600");
+    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+
+    if (request.getMethod().equals("OPTIONS")) { response.setStatus(HttpServletResponse.SC_ACCEPTED); return; }
+
+    chain.doFilter(req, res);
+  }
+
+  @Override
+  public void init(FilterConfig filterConfig) {}
+
+  @Override
+  public void destroy() {}
+  
+}

src/main/java/fr/triplea/demovote/security/SecurityConfig.java

@@ -14,6 +14,7 @@ import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.channel.ChannelProcessingFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
@@ -33,7 +34,7 @@ public class SecurityConfig
 {
  
   // TODO: CSRF-TOKEN
-  // TODO: HTTPS
+  // TODO: XSS-Filter ne marche plus après l'ajout du CORS-Filter
   // TODO: déconnexion automatique après timeout
 
   @Bean
@@ -79,7 +80,12 @@ public class SecurityConfig
   @Bean
   public JwtTokenFilter jwtTokenFilter() { return new JwtTokenFilter(); }
   
-  Class<? extends UsernamePasswordAuthenticationFilter> clazz = UsernamePasswordAuthenticationFilter.class;
+  Class<? extends UsernamePasswordAuthenticationFilter> upaf_clazz = UsernamePasswordAuthenticationFilter.class;
+
+  @Bean
+  public CorsFilter corsFilter() { return new CorsFilter(); }
+ 
+  Class<? extends ChannelProcessingFilter> cpf_clazz = ChannelProcessingFilter.class;
 
   
   @Bean
@@ -95,7 +101,8 @@ public class SecurityConfig
           .requestMatchers("/participant/**").hasRole("ORGA")
           .anyRequest().authenticated()
           )
-        .addFilterBefore(jwtTokenFilter(), clazz)
+        .addFilterBefore(jwtTokenFilter(), upaf_clazz)
+        .addFilterBefore(corsFilter(), cpf_clazz)
         .securityContext(sc -> sc.securityContextRepository(securityContextRepository).requireExplicitSave(true))
         .headers(headers -> headers
           .xssProtection(xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))

src/main/java/fr/triplea/demovote/security/ServerConfig.java

@@ -35,6 +35,7 @@ public class ServerConfig
     };
     
     tomcat.addAdditionalTomcatConnectors(getHttpConnector());
+    
     return tomcat;
   }
 

src/main/java/fr/triplea/demovote/web/controller/AccountController.java

@@ -6,7 +6,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -17,8 +16,6 @@ import fr.triplea.demovote.dao.ParticipantRepository;
 import fr.triplea.demovote.dto.ParticipantTransfer;
 import fr.triplea.demovote.model.Participant;
 
-
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/account")
 public class AccountController 

src/main/java/fr/triplea/demovote/web/controller/AuthController.java

@@ -13,7 +13,6 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -35,8 +34,6 @@ import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 
-
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/sign")
 public class AuthController 

src/main/java/fr/triplea/demovote/web/controller/BulletinController.java

@@ -7,7 +7,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -24,7 +23,6 @@ import fr.triplea.demovote.model.Categorie;
 import fr.triplea.demovote.model.Participant;
 import fr.triplea.demovote.model.Production;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/urne")
 public class BulletinController 

src/main/java/fr/triplea/demovote/web/controller/CategorieController.java

@@ -7,7 +7,6 @@ import java.util.Map;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -20,7 +19,6 @@ import org.springframework.web.bind.annotation.RestController;
 import fr.triplea.demovote.dao.CategorieRepository;
 import fr.triplea.demovote.model.Categorie;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/categorie")
 public class CategorieController 

src/main/java/fr/triplea/demovote/web/controller/DiversController.java

@@ -3,7 +3,6 @@ package fr.triplea.demovote.web.controller;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -12,7 +11,6 @@ import fr.triplea.demovote.dao.VariableRepository;
 import fr.triplea.demovote.dto.JourneesTransfer;
 import fr.triplea.demovote.dto.MessagesTransfer;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/divers")
 public class DiversController 

src/main/java/fr/triplea/demovote/web/controller/MessageController.java

@@ -4,7 +4,6 @@ import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -13,7 +12,6 @@ import org.springframework.web.bind.annotation.RestController;
 import fr.triplea.demovote.dao.MessageRepository;
 import fr.triplea.demovote.model.Message;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/message")
 public class MessageController 

src/main/java/fr/triplea/demovote/web/controller/ParticipantController.java

@@ -11,7 +11,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -30,8 +29,6 @@ import fr.triplea.demovote.model.Participant;
 import fr.triplea.demovote.model.ParticipantModePaiement;
 import fr.triplea.demovote.model.ParticipantStatut;
 
-
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/participant")
 public class ParticipantController 

src/main/java/fr/triplea/demovote/web/controller/PreferenceController.java

@@ -5,7 +5,6 @@ import java.util.List;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
@@ -18,7 +17,6 @@ import fr.triplea.demovote.dao.PreferenceRepository;
 import fr.triplea.demovote.model.Participant;
 import fr.triplea.demovote.model.Preference;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/preference")
 public class PreferenceController 

src/main/java/fr/triplea/demovote/web/controller/PresentationController.java

@@ -5,7 +5,6 @@ import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -13,7 +12,6 @@ import org.springframework.web.bind.annotation.RestController;
 import fr.triplea.demovote.dao.PresentationRepository;
 import fr.triplea.demovote.model.Presentation;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/presentation")
 public class PresentationController 

src/main/java/fr/triplea/demovote/web/controller/ProductionController.java

@@ -12,7 +12,6 @@ import org.springframework.core.io.Resource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -36,7 +35,6 @@ import fr.triplea.demovote.model.ProductionType;
 import io.hypersistence.utils.hibernate.type.basic.Inet;
 import jakarta.servlet.http.HttpServletRequest;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/production")
 public class ProductionController 

src/main/java/fr/triplea/demovote/web/controller/VariableController.java

@@ -8,7 +8,6 @@ import java.util.Map;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -23,7 +22,6 @@ import fr.triplea.demovote.dao.VariableRepository;
 import fr.triplea.demovote.dto.VariableTypeOptionList;
 import fr.triplea.demovote.model.Variable;
 
-@CrossOrigin(origins = "https://localhost:4200")
 @RestController
 @RequestMapping("/variable")
 public class VariableController