From 1b4e3f29d8c28fcf765aa17e2e8a91e3a6c3861b Mon Sep 17 00:00:00 2001
From: pabloFuente <pablofuenteperez@gmail.com>
Date: Sun, 2 Nov 2025 17:50:03 +0100
Subject: [PATCH] openvidu-server: update SecurityConfig.java to be reused

---
 .../server/config/SecurityConfig.java         | 58 ++++++++++++-------
 1 file changed, 38 insertions(+), 20 deletions(-)

diff --git a/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java b/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
index ef651e3cd..fb5571afe 100644
--- a/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
+++ b/openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
@@ -49,30 +49,48 @@ public class SecurityConfig {
 
 	@Bean
 	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-
-		http.cors(cors -> cors.disable())
-			.csrf(csrf -> csrf.disable())
-			.authorizeHttpRequests(auth -> {
-				auth.requestMatchers(HttpMethod.GET, RequestMappings.API + "/config/openvidu-publicurl").permitAll()
-					.requestMatchers(HttpMethod.GET, RequestMappings.ACCEPT_CERTIFICATE).permitAll()
-					.requestMatchers("/openvidu/**").permitAll()  // Allow WebSocket connections
-					.requestMatchers(RequestMappings.API + "/**").hasRole("ADMIN")
-					.requestMatchers(HttpMethod.GET, RequestMappings.CDR + "/**").hasRole("ADMIN")
-					.requestMatchers(HttpMethod.GET, RequestMappings.FRONTEND_CE + "/**").hasRole("ADMIN")
-					.requestMatchers(HttpMethod.GET, RequestMappings.CUSTOM_LAYOUTS + "/**").hasRole("ADMIN");
-
-				// Secure recordings depending on OPENVIDU_RECORDING_PUBLIC_ACCESS
-				if (openviduConf.getOpenViduRecordingPublicAccess()) {
-					auth.requestMatchers(HttpMethod.GET, RequestMappings.RECORDINGS + "/**").permitAll();
-				} else {
-					auth.requestMatchers(HttpMethod.GET, RequestMappings.RECORDINGS + "/**").hasRole("ADMIN");
-				}
-			})
-			.httpBasic(httpBasic -> {});
+		// Configure CORS and CSRF
+		configureHttpSecurity(http);
+		
+		// Configure authorization rules
+		configureAuthorization(http);
+		
+		// Configure HTTP Basic authentication
+		http.httpBasic(httpBasic -> {});
 
 		return http.build();
 	}
 
+	/**
+	 * Configure CORS and CSRF settings. Can be overridden by subclasses.
+	 */
+	protected void configureHttpSecurity(HttpSecurity http) throws Exception {
+		http.cors(cors -> cors.disable())
+			.csrf(csrf -> csrf.disable());
+	}
+
+	/**
+	 * Configure authorization rules for CE. Can be extended by PRO subclass.
+	 */
+	protected void configureAuthorization(HttpSecurity http) throws Exception {
+		http.authorizeHttpRequests(auth -> {
+			auth.requestMatchers(HttpMethod.GET, RequestMappings.API + "/config/openvidu-publicurl").permitAll()
+				.requestMatchers(HttpMethod.GET, RequestMappings.ACCEPT_CERTIFICATE).permitAll()
+				.requestMatchers("/openvidu/**").permitAll()  // Allow WebSocket connections
+				.requestMatchers(RequestMappings.API + "/**").hasRole("ADMIN")
+				.requestMatchers(HttpMethod.GET, RequestMappings.CDR + "/**").hasRole("ADMIN")
+				.requestMatchers(HttpMethod.GET, RequestMappings.FRONTEND_CE + "/**").hasRole("ADMIN")
+				.requestMatchers(HttpMethod.GET, RequestMappings.CUSTOM_LAYOUTS + "/**").hasRole("ADMIN");
+
+			// Secure recordings depending on OPENVIDU_RECORDING_PUBLIC_ACCESS
+			if (openviduConf.getOpenViduRecordingPublicAccess()) {
+				auth.requestMatchers(HttpMethod.GET, RequestMappings.RECORDINGS + "/**").permitAll();
+			} else {
+				auth.requestMatchers(HttpMethod.GET, RequestMappings.RECORDINGS + "/**").hasRole("ADMIN");
+			}
+		});
+	}
+
 	@Bean
 	public CorsFilter corsFilter() {
 		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();