diff options
-rw-r--r-- | cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java | 50 | ||||
-rwxr-xr-x | cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy | 4 |
2 files changed, 41 insertions, 13 deletions
diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java index 93a3a6ed2b..aedc6a8d66 100644 --- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java +++ b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java @@ -2,6 +2,7 @@ * ============LICENSE_START======================================================= * Copyright (c) 2021 Bell Canada. * Modification Copyright (C) 2021 Pantheon.tech + * Modification Copyright (C) 2023 Nordix Foundation * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,11 +23,14 @@ package org.onap.cps.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; /** * Configuration class to implement application security. @@ -34,7 +38,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur */ @Configuration @EnableWebSecurity -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { +public class WebSecurityConfig { private static final String USER_ROLE = "USER"; @@ -60,23 +64,43 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { this.password = password; } - @Override + /** + * Return the configuration for secure access to the modules REST end points. + * + * @param http the HTTP security settings. + * @return the HTTP security settings. + */ + @Bean // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation. // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header. // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf @SuppressWarnings("squid:S4502") - protected void configure(final HttpSecurity http) throws Exception { + public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception { http - .csrf().disable() - .authorizeRequests() - .antMatchers(permitUris).permitAll() - .anyRequest().authenticated() - .and().httpBasic(); + .httpBasic() + .and() + .authorizeRequests() + .antMatchers(permitUris).permitAll() + .anyRequest().authenticated() + .and() + .csrf().disable(); + + return http.build(); } - @Override - protected void configure(final AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication().withUser(username).password("{noop}" + password).roles(USER_ROLE); + /** + * In memory user authentication details. + * + * @return in memory authetication + */ + @Bean + public InMemoryUserDetailsManager userDetailsService() { + final UserDetails user = User.builder() + .username(username) + .password("{noop}" + password) + .roles(USER_ROLE) + .build(); + return new InMemoryUserDetailsManager(user); } } diff --git a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy index 5c255f1dac..ccadc57240 100755 --- a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy +++ b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy @@ -20,6 +20,9 @@ package org.onap.cps.rest.controller +import org.onap.cps.config.WebSecurityConfig +import org.springframework.context.annotation.Import + import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get import org.springframework.beans.factory.annotation.Autowired @@ -29,6 +32,7 @@ import org.springframework.test.web.servlet.MockMvc import spock.lang.Specification @WebMvcTest(TestController) +@Import(WebSecurityConfig) class ControllerSecuritySpec extends Specification { @Autowired |