agregar seguridad en el controlador usando anotaciones @secured @PreA…

…uthorize

src/main/java/com/config/SpringSecurityConfig.java

@@ -5,12 +5,14 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
+@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled=true)
 @Configuration
 public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
 
@@ -43,11 +45,11 @@ protected void configure(HttpSecurity http) throws Exception {
         http
             .authorizeRequests()
             .antMatchers("/","/css/**","/js/**","/img/**","/listar").permitAll()
-            .antMatchers("/ver/**").hasAnyRole("USER")
+           /* .antMatchers("/ver/**").hasAnyRole("USER")
             .antMatchers("/uploads/**").hasAnyRole("USER")
             .antMatchers("/form/**").hasAnyRole("ADMIN")
             .antMatchers("/eliminar/**").hasAnyRole("ADMIN")
-            .antMatchers("/factura/**").hasAnyRole("ADMIN")
+            .antMatchers("/factura/**").hasAnyRole("ADMIN") */
             .anyRequest().authenticated()
             .and()
                 .formLogin()

src/main/java/com/controllers/ClienteController.java

@@ -25,6 +25,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -52,6 +53,7 @@ public class ClienteController {
 	@Autowired
 	private IUploadFileService uploadFileService;
 
+	@Secured({"ROLE_USER","ROLE_ADMIN"})
 	@GetMapping(value="/uploads/{filename:.+}")
 	public ResponseEntity<Resource> verFoto(@PathVariable String filename) {
 		Resource recurso = null;
@@ -66,7 +68,8 @@ public ResponseEntity<Resource> verFoto(@PathVariable String filename) {
 				.body(recurso);
 	}
 
-	@Secured({"ROLE_USER"})
+//	@Secured({"ROLE_USER"})
+	@PreAuthorize("hasRole('ROLE_USER')")
 	@GetMapping(value = "/ver/{id}")
 	public String ver(@PathVariable(value = "id") Long id, Map<String, Object> model, RedirectAttributes flash) {
 //		Optional<Cliente> cl = clienteService.findById(id);
@@ -137,7 +140,8 @@ public String crear(Map<String, Object> model) {
 		return "form";
 	}
 
-	@Secured("ROLE_ADMIN")
+//	@Secured("ROLE_ADMIN")
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
 	@RequestMapping(value="/form/{id}")
 	public String editar(@PathVariable(value="id") Long id, Map<String, Object> model, RedirectAttributes flash) {
 

src/main/java/com/controllers/FacturaController.java

@@ -8,6 +8,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
@@ -19,6 +20,7 @@
 import java.util.List;
 import java.util.Map;
 
+@Secured("ROLE_ADMIN")
 @Controller
 @RequestMapping("/factura")
 @SessionAttributes("factura")