ambiser
/
openvidu
mirror of https://github.com/OpenVidu/openvidu.git
9
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

openvidu-server: new fix for SecurityConfig paths

v2
pabloFuente 2025-11-03 15:10:31 +01:00
parent 146aa315fc
commit a81d3f7c26
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
openvidu-server/src/main/java/io/openvidu/server/config/SecurityConfig.java
View File

@ -74,17 +74,25 @@ public class SecurityConfig {
*/
protected void configureAuthorization(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> {
configureProtectedEndpoints(auth);
// 1. Public endpoints first (most specific)
configurePublicEndpoints(auth);
// 2. Protected endpoints second (less specific /api/**)
configureProtectedEndpoints(auth);
// 3. WebSocket endpoints last (least specific)
configureWebSocketEndpoints(auth);
});
}
/**
* Configure public endpoints. Can be overridden by subclasses.
* MUST be called BEFORE configureProtectedEndpoints to ensure specific public paths
* are not caught by broader protected patterns like /api/**
*/
protected void configurePublicEndpoints(org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer<?>.AuthorizationManagerRequestMatcherRegistry auth) {
// Public endpoints
// Allow CORS preflight requests FIRST
auth.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll();
// Public API endpoints (must come before /api/** pattern)
auth.requestMatchers(HttpMethod.GET, RequestMappings.API + "/config/openvidu-publicurl").permitAll()
.requestMatchers(HttpMethod.GET, RequestMappings.ACCEPT_CERTIFICATE).permitAll();
@ -94,16 +102,14 @@ public class SecurityConfig {
} else {
auth.requestMatchers(HttpMethod.GET, RequestMappings.RECORDINGS + "/**").hasRole("ADMIN");
}
// Allow CORS preflight requests
auth.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll();
}
/**
* Configure protected API endpoints. Can be extended by subclasses.
* MUST be called AFTER configurePublicEndpoints to avoid catching specific public paths.
*/
protected void configureProtectedEndpoints(org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer<?>.AuthorizationManagerRequestMatcherRegistry auth) {
// Protected API endpoints (must come before WebSocket to take precedence)
// Protected API endpoints - uses broader patterns so must come AFTER public endpoints
auth.requestMatchers(RequestMappings.API + "/**").hasRole("ADMIN")
.requestMatchers(HttpMethod.GET, RequestMappings.CDR + "/**").hasRole("ADMIN")
.requestMatchers(HttpMethod.GET, RequestMappings.FRONTEND_CE + "/**").hasRole("ADMIN")