dev en cours

bin/main/application.properties

@@ -19,5 +19,5 @@ server.servlet.context-path=/demovote-api/v1
 #logging.logback.rollingpolicy.total-size-cap=10MB
 #logging.logback.rollingpolicy.max-history=5
 
-jwttoken.secret=alchimie!!!
+jwttoken.secret=ee3c5233e2fde173cf7f401e5fb45aa47937a76f45e5fdcff29bedba6e6ea61c695ac0058ead08561261445b6f547aced2e335c2cc210fab42bc4b5317f987e9297b5c0e19eb21f38d0fd5cf69ba4cfa7ed0fa02d299a34ed6fdf22b508997a573075c4c375e6f3e45c7cb82c78958b2f3d47a87145eb74334023429401f584928a224796093afad62696dc9bab1cfdf4368a2263a13480b80faf873ca1f1cb067da4db75ec53379e0da1d3a61572dbeebfc3484f6f2ed333c96154036d0c22a5a2a59895ee6711e77e604e8b8c5b0a45fb2cce05298d12c25e1f9a6ba4d030ce2e480c1e3ad3fe0551c2a136bd18635c829f7eb4f92f4e34ec67e95bb966dac
 jwttoken.expiration=3600000 

src/main/java/fr/triplea/demovote/dao/ParticipantRepository.java

@@ -65,8 +65,11 @@ public interface ParticipantRepository extends JpaRepository<Participant, Intege
       + "p.flag_arrive "
       + "FROM vote.participants AS p "
       + "WHERE p.flag_actif IS TRUE "
+      + "AND ((:nom is null) OR (UPPER(p.nom) LIKE CONCAT('%', :nom, '%')) OR (UPPER(p.prenom) LIKE CONCAT('%', :nom, '%')) OR (UPPER(p.pseudonyme) LIKE CONCAT('%', :nom, '%')) OR (UPPER(p.groupe) LIKE CONCAT('%', :nom, '%')) OR (UPPER(p.email) LIKE CONCAT('%', :nom, '%'))) "
+      + "AND ((:statut = 0) OR (:statut = 1 AND p.statut = 'EN_ATTENTE'::vote.statut_participant)) "
+      + "AND ((:arrive = 0) OR (:arrive = 1 AND p.flag_arrive = FALSE) OR (:arrive = 2 AND p.flag_arrive = TRUE)) "
       + "ORDER BY p.nom ASC, p.prenom ASC, p.pseudonyme ASC ")
-  List<ParticipantList> getList();
+  List<ParticipantList> getList(@Param("nom") String nom, @Param("statut") int statut, @Param("arrive") int arrive);
 
   @NativeQuery("SELECT DISTINCT p.* FROM vote.participants AS p WHERE p.flag_actif IS TRUE ORDER BY p.nom ASC, p.prenom ASC, p.pseudonyme ASC ")
   List<Participant> findAll();

src/main/java/fr/triplea/demovote/dto/UserCredentials.java

@@ -25,6 +25,14 @@ public class UserCredentials
   public void setRole(String s) { this.role = new String(s); }
   public String getRole() { return this.role; }
   public boolean hasRole() { if (this.role != null) { if (!(this.role.isBlank())) { return true; }} return false; }
+  
+  private String token;
+  public void setToken(String s) { this.token = new String(s); }
+  public String getToken() { return this.token; }
+  
+  private String erreur;
+  public void setErreur(String s) { this.erreur = new String(s); }
+  public String getErreur() { return this.erreur; }
 
   public UserCredentials() {}
   

src/main/java/fr/triplea/demovote/model/AuthResponse.java

@@ -1,18 +0,0 @@
-package fr.triplea.demovote.model;
-
-import java.util.List;
-
-public class AuthResponse 
-{
-
-  private String token;
-  
-  private List<String> roles;
-
-  public String getToken() { return token; }
-  public void setToken(String token) { this.token = token; }
-
-  public List<String> getRoles() { return roles; }
-  public void setRoles(List<String> roles) { this.roles = roles; }
-  
-}

src/main/java/fr/triplea/demovote/model/MyUserDetails.java

@@ -3,15 +3,23 @@ package fr.triplea.demovote.model;
 import java.util.Collection;
 import java.util.Set;
 import java.util.stream.Collectors;
+
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
 import com.fasterxml.jackson.annotation.JsonIgnore;
 
 public class MyUserDetails implements UserDetails 
 {
 
   private static final long serialVersionUID = -2662964904357800987L;
+
+  @Autowired
+  @JsonIgnore
+  public PasswordEncoder passwordEncoder;
   
   private Integer id; 
   

src/main/java/fr/triplea/demovote/security/SecurityConfig.java

@@ -24,8 +24,9 @@ import org.springframework.security.web.context.RequestAttributeSecurityContextR
 public class SecurityConfig
 {
  
-  // TODO: JWT, CSRF-TOKEN, filtrage anti-XSS, filtrage anti-SQL-injection, Header FrameOptions, etc
-  
+  // TODO: CSRF-TOKEN, filtrage anti-XSS, filtrage anti-SQL-injection, etc
+  // TODO: gérer le 403 au niveau du frontend (en cas d'expiration du JWT)
+
   @Autowired
   private MyUserDetailsService myUserDetailsService;
 
@@ -67,16 +68,16 @@ public class SecurityConfig
         .authenticationProvider(authenticationProvider())
         .authorizeHttpRequests((authorizeHttpRequests) -> authorizeHttpRequests
           .requestMatchers("/divers/**", "/sign/**").permitAll()
-          .requestMatchers("/account/**", "/preference/**", "/message/**", "/urne/**", "/resultats/**").permitAll() //.hasRole("USER")
-          .requestMatchers("/variable/**", "/categorie/**", "/production/**", "/presentation/**").permitAll() //.hasRole("ADMIN")
-          .requestMatchers("/participant/**").permitAll() //.hasRole("ORGA")
+          .requestMatchers("/account/**", "/preference/**", "/message/**", "/urne/**", "/resultats/**").hasRole("USER")
+          .requestMatchers("/variable/**", "/categorie/**", "/production/**", "/presentation/**").hasRole("ADMIN")
+          .requestMatchers("/participant/**").hasRole("ORGA")
           .anyRequest().authenticated()
           )
         .addFilterBefore(jwtTokenFilter(), clazz)
-        .securityContext(securityContext -> securityContext.securityContextRepository(securityContextRepository).requireExplicitSave(false))
+        .securityContext(securityContext -> securityContext.securityContextRepository(securityContextRepository).requireExplicitSave(true))
         .headers(headers -> headers.frameOptions(customize -> customize.disable()))
-        .sessionManagement(session -> session.maximumSessions(2).sessionRegistry(sessionRegistry())
-        );
+        .sessionManagement(session -> session.maximumSessions(2).sessionRegistry(sessionRegistry()))
+        ;
         
     return http.build();
   }

src/main/java/fr/triplea/demovote/web/controller/AuthController.java

@@ -1,19 +1,16 @@
 package fr.triplea.demovote.web.controller;
 
 import java.util.List;
-import java.util.stream.Collectors;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -22,14 +19,12 @@ import org.springframework.web.bind.annotation.RestController;
 
 import fr.triplea.demovote.dao.ParticipantRepository;
 import fr.triplea.demovote.dto.UserCredentials;
-import fr.triplea.demovote.model.MyUserDetails;
 import fr.triplea.demovote.model.Participant;
 import fr.triplea.demovote.model.Role;
 import fr.triplea.demovote.security.JwtTokenUtil;
 import fr.triplea.demovote.security.MyUserDetailsService;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-import jakarta.servlet.http.HttpSession;
 
 
 @CrossOrigin(origins = "http://localhost:4200")
@@ -41,10 +36,10 @@ public class AuthController
   private static final Logger LOG = LoggerFactory.getLogger(AuthController.class);
 
   @Autowired
-  private MyUserDetailsService myUserDetailsService;
+  public PasswordEncoder passwordEncoder;
   
   @Autowired
-  private AuthenticationManager authenticationManager;
+  public MyUserDetailsService myUserDetailsService;
   
   @Autowired
   private JwtTokenUtil jwtTokenUtil;
@@ -66,41 +61,49 @@ public class AuthController
     if (found != null)
     { 
       UserDetails userDetails = myUserDetailsService.loadUserByUsername(usrn);
-
-      Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities())); 
-      
-      SecurityContextHolder.getContext().setAuthentication(authentication);
     
-      String token = jwtTokenUtil.generateJwtToken(authentication);
-  
-      MyUserDetails userBean = (MyUserDetails) authentication.getPrincipal();    
-    
-      /*
-      List<String> roles = userBean.getAuthorities().stream().map(auth -> auth.getAuthority()).collect(Collectors.toList());
-   
-      AuthResponse authResponse = new AuthResponse();
-      authResponse.setToken(token);
-      authResponse.setRoles(roles);
-      return ResponseEntity.ok(authResponse);
-      */
+      Authentication authentication = new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()) ; 
       
-      // TODO: add jwtoken in user credentials for frontend
-      
-      uc = new UserCredentials();
-      
-      uc.setUsername(usrn);
-      uc.setPassword("<success@auth>");
-      uc.setNom(found.getNom());
-      uc.setPrenom(found.getPrenom());
+      if (passwordEncoder.matches(pass, userDetails.getPassword()))
+      {
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+        
+        String token = jwtTokenUtil.generateJwtToken(authentication);
+        
+        // TODO: add jwtoken in user credentials for frontend
+        
+        uc = new UserCredentials();
+        
+        uc.setUsername(usrn);
+        uc.setPassword("<success@auth>");
+        uc.setNom(found.getNom());
+        uc.setPrenom(found.getPrenom());
+        uc.setToken(token);
+        uc.setErreur("");
 
-      List<Role> roles = found.getRoles();
-       
-      if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ADMIN")) { uc.setRole("ADMIN"); } } }
-      if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ORGA")) { uc.setRole("ORGA"); } } }
-      if (!(uc.hasRole())) { uc.setRole("USER"); }
+        List<Role> roles = found.getRoles();
+         
+        if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ADMIN")) { uc.setRole("ADMIN"); } } }
+        if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ORGA")) { uc.setRole("ORGA"); } } }
+        if (!(uc.hasRole())) { uc.setRole("USER"); }
 
-      return ResponseEntity.ok(uc);
-     }
+        return ResponseEntity.ok(uc);
+      }
+      else
+      {
+        uc = new UserCredentials();
+        
+        uc.setUsername("");
+        uc.setPassword("");
+        uc.setNom("");
+        uc.setPrenom("");
+        uc.setToken("");
+        uc.setRole("");
+        uc.setErreur("Le mot de passe ne correspond pas à ce participant.");
+       
+        return ResponseEntity.ok(uc);
+      }
+    }
     
     uc = new UserCredentials();
     
@@ -108,7 +111,9 @@ public class AuthController
     uc.setPassword("");
     uc.setNom("");
     uc.setPrenom("");
+    uc.setToken("");
     uc.setRole("");
+    uc.setErreur("Participant introuvable avec ce pseudonyme.");
    
     return ResponseEntity.ok(uc);
   }

src/main/java/fr/triplea/demovote/web/controller/BulletinController.java

@@ -6,6 +6,7 @@ import java.util.Map;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -42,6 +43,7 @@ public class BulletinController
   private ProductionRepository productionRepository;
 
   @PostMapping(value = "/create")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Object> add(@RequestParam(required = true) int cat_id, @RequestParam(required = true) int part_id, @RequestParam(required = true) int prod_id) 
   { 
     Bulletin bul = bulletinRepository.findByCategorieAndParticipant(cat_id, part_id);
@@ -125,6 +127,7 @@ public class BulletinController
   }
 
   @DeleteMapping(value = "/delete/{id}")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Map<String, Boolean>> remove(@PathVariable int id) 
   { 
     if (id > 0) { bulletinRepository.deleteById(id); }

src/main/java/fr/triplea/demovote/web/controller/CategorieController.java

@@ -6,6 +6,7 @@ import java.util.Map;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -30,12 +31,14 @@ public class CategorieController
 
 
   @GetMapping(value = "/list")
+  @PreAuthorize("hasRole('ADMIN')")
   public List<Categorie> getList() 
   { 
     return categorieRepository.findAll(); 
   }
 
   @GetMapping(value = "/form/{id}")
+  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Categorie> getForm(@PathVariable int id)
   { 
     Categorie c = categorieRepository.findById(id);
@@ -46,6 +49,7 @@ public class CategorieController
   }
 
   @PostMapping(value = "/create")
+  @PreAuthorize("hasRole('ADMIN')")
   public Categorie create(@RequestBody(required = true) Categorie categorie) 
   { 
     Categorie found = categorieRepository.findById(0);
@@ -58,6 +62,7 @@ public class CategorieController
   }
 
   @PutMapping(value = "/update/{id}")
+  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Object> update(@PathVariable int id, @RequestBody(required = true) Categorie categorie) 
   { 
     Categorie found = categorieRepository.findById(id);
@@ -83,6 +88,7 @@ public class CategorieController
   }
 
   @DeleteMapping(value = "/delete/{id}")
+  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Map<String, Boolean>> disableCategorie(@PathVariable int id) 
   { 
     Categorie c = categorieRepository.getReferenceById(id);

src/main/java/fr/triplea/demovote/web/controller/MessageController.java

@@ -3,6 +3,7 @@ package fr.triplea.demovote.web.controller;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -23,6 +24,7 @@ public class MessageController
   
   
   @GetMapping(value = "/list/{id}")
+  @PreAuthorize("hasRole('USER')")
   public List<Message> getList(@PathVariable int id)
   { 
     return messageRepository.findAll(id, id); 

src/main/java/fr/triplea/demovote/web/controller/ParticipantController.java

@@ -9,6 +9,7 @@ import java.util.UUID;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -18,6 +19,7 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 import fr.triplea.demovote.dao.ParticipantRepository;
@@ -44,19 +46,24 @@ public class ParticipantController
   
 
   @GetMapping(value = "/list")
-  public List<ParticipantList> getList() 
+  @PreAuthorize("hasRole('ORGA')")
+  public List<ParticipantList> getList(@RequestParam("nom") String filtreNom, @RequestParam("statut") int filtreStatut, @RequestParam("arrive") int filtreArrive) 
   { 
-    return participantRepository.getList(); 
+    if (filtreNom != null) { if (filtreNom.isBlank()) { filtreNom = null; } else { filtreNom = filtreNom.trim().toUpperCase(); } }
+    
+    return participantRepository.getList(filtreNom, filtreStatut, filtreArrive);
   }
 
   
   @GetMapping(value = "/option-list")
+  @PreAuthorize("hasRole('ORGA')")
   public List<ParticipantOptionList> getOptionList() 
   { 
     return participantRepository.getOptionList(); 
   }
 
   @GetMapping(value = "/form/{id}")
+  @PreAuthorize("hasRole('ORGA')")
   public ResponseEntity<ParticipantTransfer> getForm(@PathVariable int id) 
   { 
     ParticipantTransfer p = participantRepository.searchById(id);
@@ -67,6 +74,7 @@ public class ParticipantController
   }
 
   @PostMapping(value = "/create")
+  @PreAuthorize("hasRole('ORGA')")
   public ResponseEntity<Object> create(@RequestBody(required = true) ParticipantTransfer participant) 
   { 
     Participant found = participantRepository.findById(0);
@@ -138,6 +146,7 @@ public class ParticipantController
   }
 
   @PutMapping(value = "/update/{id}")
+  @PreAuthorize("hasRole('ORGA')")
   public ResponseEntity<Object> update(@PathVariable int id, @RequestBody(required = true) ParticipantTransfer participant) 
   { 
     Participant found = participantRepository.findById(id);
@@ -201,6 +210,7 @@ public class ParticipantController
   }
 
   @DeleteMapping(value = "/delete/{id}")
+  @PreAuthorize("hasRole('ORGA')")
   public ResponseEntity<Map<String, Boolean>> disableParticipant(@PathVariable int id) 
   { 
     Participant found = participantRepository.getReferenceById(id);

src/main/java/fr/triplea/demovote/web/controller/PreferenceController.java

@@ -4,6 +4,7 @@ import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -28,12 +29,14 @@ public class PreferenceController
 
   
   @PostMapping(value = "/list")
+  @PreAuthorize("hasRole('USER')")
   public List<Preference> get(@RequestParam(required = true) Participant numParticipant, @RequestParam(required = false) int numTraitement) 
   { 
     return preferenceRepository.findByParticipantAndTraitement(numParticipant, numTraitement); 
   }
 
   @PostMapping(value = "/create")
+  @PreAuthorize("hasRole('USER')")
   public Preference create(@RequestBody(required = true) Preference preference) 
   { 
     Preference found = preferenceRepository.findById(0);
@@ -44,6 +47,7 @@ public class PreferenceController
   }
 
   @PutMapping(value = "/update/{id}")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Preference> update(@PathVariable int id, @RequestBody(required = true) Preference preference) 
   { 
     Preference found = preferenceRepository.findById(id);

src/main/java/fr/triplea/demovote/web/controller/PresentationController.java

@@ -4,6 +4,7 @@ package fr.triplea.demovote.web.controller;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -22,6 +23,7 @@ public class PresentationController
   private PresentationRepository presentationRepository;
  
   @GetMapping(value = "/list")
+  @PreAuthorize("hasRole('ADMIN')")
   public List<Presentation> getList() 
   {
     return presentationRepository.findAll(); 

src/main/java/fr/triplea/demovote/web/controller/ProductionController.java

@@ -11,6 +11,7 @@ import org.springframework.core.io.ByteArrayResource;
 import org.springframework.core.io.Resource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -49,6 +50,7 @@ public class ProductionController
 
  
   @GetMapping(value = "/list")
+  @PreAuthorize("hasRole('USER')")
   public List<Production> getList(@RequestParam(required = false) String type) 
   { 
     List<ProductionShort> prods = productionRepository.findAllWithoutArchive();
@@ -61,6 +63,7 @@ public class ProductionController
   }
 
   @GetMapping(value = "/file/{id}")
+  @PreAuthorize("hasRole('USER')")
   @ResponseBody
   public ResponseEntity<Resource> getFile(@PathVariable int id) 
   {
@@ -81,6 +84,7 @@ public class ProductionController
   }
 
   @GetMapping(value = "/form/{id}")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Production> getForm(@PathVariable int id)
   { 
     ProductionShort p = productionRepository.findByIdWithoutArchive(id);
@@ -91,6 +95,7 @@ public class ProductionController
   }
 
   @GetMapping(value = "/formfile/{id}")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<ProductionFile> getFormFile(@PathVariable int id)
   { 
     ProductionFile p = productionRepository.findByIdForUpload(id);
@@ -101,6 +106,7 @@ public class ProductionController
   }
 
   @PostMapping(value = "/create")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Map<String, Boolean>> create(@RequestBody(required = true) ProductionTransfer production, HttpServletRequest request) 
   { 
     Participant participant = participantRepository.findById(production.numeroParticipant());
@@ -144,6 +150,7 @@ public class ProductionController
   }
  
   @PutMapping(value = "/update/{id}")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Map<String, Boolean>> update(HttpServletRequest request, @PathVariable int id, @RequestBody(required = true) ProductionUpdate production) 
   { 
     Production found = productionRepository.findById(id);
@@ -188,6 +195,7 @@ public class ProductionController
   }
   
   @PutMapping(value = "/upload/{id}")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Map<String, Boolean>> update(@PathVariable int id, @RequestBody(required = true) ProductionFile production) 
   { 
     Production found = productionRepository.findById(id);
@@ -224,6 +232,7 @@ public class ProductionController
   }
 
   @DeleteMapping(value = "/delete/{id}")
+  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Map<String, Boolean>> disableProduction(@PathVariable int id) 
   { 
     Production found = productionRepository.getReferenceById(id);

src/main/java/fr/triplea/demovote/web/controller/VariableController.java

@@ -7,6 +7,7 @@ import java.util.Map;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -33,6 +34,7 @@ public class VariableController
 
 
   @GetMapping(value = "/list")
+  @PreAuthorize("hasRole('ADMIN')")
   public List<Variable> getList(@RequestParam(required = false) String type) 
   { 
     if (type == null) { return variableRepository.findAll(); }
@@ -43,12 +45,14 @@ public class VariableController
   }
   
   @GetMapping(value = "/option-list")
+  @PreAuthorize("hasRole('ADMIN')")
   public List<VariableTypeOptionList> getOptionList() 
   { 
     return variableRepository.getTypes(); 
   }
  
   @GetMapping(value = "/form/{id}")
+  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Variable> getForm(@PathVariable int id) 
   { 
     Variable v = variableRepository.findById(id);
@@ -59,6 +63,7 @@ public class VariableController
   }
 
   @PostMapping(value = "/create")
+  @PreAuthorize("hasRole('ADMIN')")
   public Variable create(@RequestBody(required = true) Variable variable) 
   { 
     Variable found = variableRepository.findById(0);
@@ -71,6 +76,7 @@ public class VariableController
   }
  
   @PutMapping(value = "/update/{id}")
+  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Variable> update(@PathVariable int id, @RequestBody(required = true) Variable variable) 
   { 
     Variable found = variableRepository.findById(id);
@@ -91,6 +97,7 @@ public class VariableController
   }
 
   @DeleteMapping(value = "/delete/{id}")
+  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Map<String, Boolean>> deleteVariable(@PathVariable int id) 
   { 
     Variable found = variableRepository.findById(id);

src/main/resources/application.properties

@@ -19,5 +19,5 @@ server.servlet.context-path=/demovote-api/v1
 #logging.logback.rollingpolicy.total-size-cap=10MB
 #logging.logback.rollingpolicy.max-history=5
 
-jwttoken.secret=alchimie!!!
+jwttoken.secret=ee3c5233e2fde173cf7f401e5fb45aa47937a76f45e5fdcff29bedba6e6ea61c695ac0058ead08561261445b6f547aced2e335c2cc210fab42bc4b5317f987e9297b5c0e19eb21f38d0fd5cf69ba4cfa7ed0fa02d299a34ed6fdf22b508997a573075c4c375e6f3e45c7cb82c78958b2f3d47a87145eb74334023429401f584928a224796093afad62696dc9bab1cfdf4368a2263a13480b80faf873ca1f1cb067da4db75ec53379e0da1d3a61572dbeebfc3484f6f2ed333c96154036d0c22a5a2a59895ee6711e77e604e8b8c5b0a45fb2cce05298d12c25e1f9a6ba4d030ce2e480c1e3ad3fe0551c2a136bd18635c829f7eb4f92f4e34ec67e95bb966dac
 jwttoken.expiration=3600000