Aprimorada configuração de segurança com habilitação de segurança baseada em anotações e ajustes nas permissões de acesso para usuários e produtos. Configurando e usando "@secured" e "@PreAuthorize".

AlexSimao · AlexSimao · commit 99e5453598fe · 2025-02-12T00:56:44.000-03:00
diff --git a/src/main/java/com/estudo/springsecurity/infra/security/SecurityConfig.java b/src/main/java/com/estudo/springsecurity/infra/security/SecurityConfig.java
@@ -6,6 +6,7 @@
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -16,6 +17,7 @@
 
 @Configuration
 @EnableWebSecurity // Habilita para essa classe as configuraçoes do Spring Security
+@EnableMethodSecurity(securedEnabled = true) // Habilita a segurança baseada em anotações @PreAuthorize e @Secured
 public class SecurityConfig {
 
   @SuppressWarnings("unused")
@@ -36,7 +38,6 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         .authorizeHttpRequests(authorize -> authorize
             .requestMatchers(HttpMethod.POST, "/auth/register").hasRole("ADMIN")
             .requestMatchers(HttpMethod.POST, "/auth/login").permitAll()
-            .requestMatchers(HttpMethod.GET, "/user").hasRole("ADMIN")
             // So deve ser descomentado para cadastro do primeiro usuário ADMIN no sistema.
             // .requestMatchers(HttpMethod.POST, "/auth/register").permitAll()
             .anyRequest().authenticated())
diff --git a/src/main/java/com/estudo/springsecurity/services/AuthService.java b/src/main/java/com/estudo/springsecurity/services/AuthService.java
@@ -59,6 +59,7 @@ public AuthResponseDTO login(LoginRequestDTO loginRequestDTO) {
     return new AuthResponseDTO(user.getName(), token, "Bem Vindo de Volta");
   }
 
+  // Apenas ADMIN pode registrar novos usuários configurando no SecurityConfig
   public AuthResponseDTO register(UserDTO userDTO) {
     Optional<User> user = userRepository.findByEmail(userDTO.getEmail());
 
diff --git a/src/main/java/com/estudo/springsecurity/services/ProductService.java b/src/main/java/com/estudo/springsecurity/services/ProductService.java
@@ -3,6 +3,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Service;
 
 import com.estudo.springsecurity.dtos.ProductDTO;
@@ -16,12 +17,14 @@ public class ProductService {
   @Autowired
   private ProductRepository productRepository;
 
+  @Secured({ "ROLE_ADMIN", "ROLE_USER" })
   public Page<ProductDTO> getAll(Pageable pageable) {
     Page<Product> result = productRepository.findAll(pageable);
     Page<ProductDTO> dto = result.map(ProductDTO::new);
     return dto;
   }
 
+  @Secured({ "ROLE_ADMIN", "ROLE_USER" })
   public ProductDTO getOne(Long id) {
     Product result = productRepository.findById(id)
         .orElseThrow(() -> new EntityNotFoundException("Produto com id: " + id + " não encontrado."));
@@ -30,6 +33,7 @@ public ProductDTO getOne(Long id) {
     return dto;
   }
 
+  @Secured({ "ROLE_ADMIN", "ROLE_USER" })
   public ProductDTO createProduct(ProductDTO productDTO) {
     if (productDTO.getName().isBlank() || productDTO.getName() == null) {
       throw new IllegalArgumentException("Nome do produto não pode ser vazio ou 'null': " + productDTO.getName());
diff --git a/src/main/java/com/estudo/springsecurity/services/UserService.java b/src/main/java/com/estudo/springsecurity/services/UserService.java
@@ -3,6 +3,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -16,13 +17,15 @@ public class UserService {
   private UserRepository userRepository;
 
   @Transactional(readOnly = true)
+  @PreAuthorize("hasRole('ADMIN')")
   public Page<UserDTO> getAll(Pageable pageable) {
     Page<User> result = userRepository.findAll(pageable);
     Page<UserDTO> dto = result.map(UserDTO::new);
     return dto;
   }
 
   @Transactional(readOnly = true)
+  @PreAuthorize("hasRole('ADMIN')")
   public UserDTO getOne(String id) {
     User result = userRepository.findById(id)
         .orElseThrow(() -> new RuntimeException("Usuario com id: " + id + " não encontrado"));

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ public AuthResponseDTO login(LoginRequestDTO loginRequestDTO) {`
`59`	`59`	`return new AuthResponseDTO(user.getName(), token, "Bem Vindo de Volta");`
`60`	`60`	`}`
`61`	`61`
	`62`	`+ // Apenas ADMIN pode registrar novos usuários configurando no SecurityConfig`
`62`	`63`	`public AuthResponseDTO register(UserDTO userDTO) {`
`63`	`64`	`Optional<User> user = userRepository.findByEmail(userDTO.getEmail());`
`64`	`65`