From dbf1af523cd6051db633db9d332e3ff22ae4e714 Mon Sep 17 00:00:00 2001
From: Pekka Helenius <fincer89@hotmail.com>
Date: Tue, 6 Oct 2020 15:32:17 +0300
Subject: [PATCH] Un-hardcode WebSecurityConfig authorities; add commenting

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
---
 .../com/fjordtek/bookstore/config/WebSecurityConfig.java | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
index 597e6fa..fb3f699 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/config/WebSecurityConfig.java
@@ -83,7 +83,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 			.antMatcher(env.getProperty("spring.data.rest.base-path") + "/**")
 			.authorizeRequests(
 					authorize -> authorize
-					.anyRequest().hasAuthority("ADMIN")
+					.anyRequest().hasAuthority(env.getProperty("auth.authority.admin"))
 					)
 				.httpBasic()
 			.and()
@@ -106,6 +106,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 		@Override
 		protected void configure(HttpSecurity httpSecurity) throws Exception {
 
+			/*
+			 *  Explicitly Permit access to specific end points.
+			 *  Basic norm is: if the end point access is not permitted here,
+			 *  public access to it is denied by default.
+			 */
 			httpSecurity
 			.authorizeRequests()
 				.antMatchers(
@@ -119,7 +124,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 //					"/favicon.ico",
 					).permitAll()
 				.antMatchers(env.getProperty("page.url.apiref") + "/**")
-					.hasAuthority("ADMIN")
+					.hasAuthority(env.getProperty("auth.authority.admin"))
 				.anyRequest()
 				.authenticated()
 			.and()