aboutsummaryrefslogtreecommitdiffstats
path: root/cps-application/src/main
diff options
context:
space:
mode:
authordanielhanrahan <daniel.hanrahan@est.tech>2024-02-28 07:13:50 +0000
committerdanielhanrahan <daniel.hanrahan@est.tech>2024-02-29 10:00:24 +0000
commit4a87570c44f41bf19f550f9fed9ecf072db16d74 (patch)
tree01c8a0ec24af10a7d0e4d6c945abb594be2a520b /cps-application/src/main
parenta7f3568a39c7d12859a55e0c76c452e0d3f1938b (diff)
Disable Spring Security and HTTP Basic Auth (CPS-2126 #1)
This allows any authorization header to be passed in. Issue-ID: CPS-2127 Signed-off-by: danielhanrahan <daniel.hanrahan@est.tech> Change-Id: Ib1c5bd7024eed39afd1ae6e19325ed4733c853d4
Diffstat (limited to 'cps-application/src/main')
-rw-r--r--cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java103
1 files changed, 0 insertions, 103 deletions
diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
deleted file mode 100644
index 0b6d0dba1e..0000000000
--- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * ============LICENSE_START=======================================================
- * Copyright (c) 2021 Bell Canada.
- * Modification Copyright (C) 2021 Pantheon.tech
- * Modification Copyright (C) 2023 Nordix Foundation
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.cps.config;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
-import org.springframework.security.web.SecurityFilterChain;
-
-/**
- * Configuration class to implement application security.
- * It enforces Basic Authentication access control.
- */
-@Configuration
-@EnableWebSecurity
-public class WebSecurityConfig {
- private static final String USER_ROLE = "USER";
- private final String username;
- private final String password;
- private final String[] permitUris;
-
- /**
- * Constructor. Accepts parameters from configuration.
- *
- * @param permitUris comma-separated list of uri patterns for endpoints permitted
- * @param username username
- * @param password password
- */
- public WebSecurityConfig(
- @Autowired @Value("${security.permit-uri}") final String permitUris,
- @Autowired @Value("${security.auth.username}") final String username,
- @Autowired @Value("${security.auth.password}") final String password
- ) {
- super();
- this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}");
- this.username = username;
- this.password = password;
- }
-
- /**
- * Return the configuration for secure access to the modules REST end points.
- *
- * @param http the HTTP security settings.
- * @return the HTTP security settings.
- */
- @Bean
- // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
- // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
- // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header.
- // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
- @SuppressWarnings("squid:S4502")
- public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
- http
- .httpBasic(httpBasicCustomizer -> {})
- .authorizeHttpRequests(authorizeHttpRequestsCustomizer -> {
- authorizeHttpRequestsCustomizer.requestMatchers(permitUris).permitAll();
- authorizeHttpRequestsCustomizer.anyRequest().authenticated();
- })
- .csrf(AbstractHttpConfigurer::disable);
- return http.build();
- }
-
- /**
- * In memory user authentication details.
- *
- * @return in memory authentication
- */
- @Bean
- public InMemoryUserDetailsManager userDetailsService() {
- final UserDetails user = User.builder()
- .username(username)
- .password("{noop}" + password)
- .roles(USER_ROLE)
- .build();
- return new InMemoryUserDetailsManager(user);
- }
-}