aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBruno Sakoto <bruno.sakoto@bell.ca>2021-03-10 13:13:50 -0500
committerToine Siebelink <toine.siebelink@est.tech>2021-03-11 14:28:35 +0000
commit99f0f0be7cc540dd32aacc770468d73444bcfb18 (patch)
tree24a6306aa46511a3f8e19ae1094d1f95d4124ffb
parent2555da9a1a946920d7e42469874e94a71f40dc6d (diff)
Suppress csrf sonar security hotspot warning
Issue-ID: CPS-285 Signed-off-by: Bruno Sakoto <bruno.sakoto@bell.ca> Change-Id: I95d2b7d48714d21e2cdcaab36f3ba9903f0b5342
-rw-r--r--cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java5
1 files changed, 5 insertions, 0 deletions
diff --git a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
index 943e02c273..5538341118 100644
--- a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
@@ -44,6 +44,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String USER_ROLE = "USER";
@Override
+ // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
+ // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
+ // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header.
+ // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
+ @SuppressWarnings("squid:S4502")
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()