diff options
author | Bruno Sakoto <bruno.sakoto@bell.ca> | 2021-03-10 13:13:50 -0500 |
---|---|---|
committer | Toine Siebelink <toine.siebelink@est.tech> | 2021-03-11 14:28:35 +0000 |
commit | 99f0f0be7cc540dd32aacc770468d73444bcfb18 (patch) | |
tree | 24a6306aa46511a3f8e19ae1094d1f95d4124ffb | |
parent | 2555da9a1a946920d7e42469874e94a71f40dc6d (diff) |
Suppress csrf sonar security hotspot warning
Issue-ID: CPS-285
Signed-off-by: Bruno Sakoto <bruno.sakoto@bell.ca>
Change-Id: I95d2b7d48714d21e2cdcaab36f3ba9903f0b5342
-rw-r--r-- | cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java index 943e02c273..5538341118 100644 --- a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java +++ b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java @@ -44,6 +44,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private static final String USER_ROLE = "USER"; @Override + // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation. + // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in + // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header. + // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf + @SuppressWarnings("squid:S4502") protected void configure(final HttpSecurity http) throws Exception { http .csrf().disable() |