@Configuration
@EnableWebSecurity
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomSecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(CustomSecurityConfiguration.class);

    @Value("${app.rest-auth-enabled:false}")
    boolean enableAuth;

    @Bean
    @ConditionalOnMissingBean
    public CustomAuthenticationProvider customAuthenticationProvider() {
        return new CustomAuthenticationProvider();
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        logger.info("enable rest api auth:{}",enableAuth);
        if (enableAuth) {
            http
                    .authenticationProvider(customAuthenticationProvider())
                    .csrf().disable()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                    .authorizeRequests()
                    .antMatchers("/api/**").authenticated()
                    .anyRequest().anonymous()
                    .and()
                    .httpBasic()
                    .realmName("app api");
        } else {
            http
                    .authenticationProvider(customAuthenticationProvider())
                    .csrf().disable()
                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                    .authorizeRequests()
                    .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                    .antMatchers(HttpMethod.GET, "/**").permitAll()
                    .antMatchers(HttpMethod.POST, "/**").permitAll()
                    .antMatchers(HttpMethod.PUT, "/**").permitAll()
                    .antMatchers(HttpMethod.DELETE, "/**").permitAll()
                    .antMatchers("/**").permitAll()
                    .and()
                    .httpBasic()
                    .realmName("bpm api");
        }


    }
}