summaryrefslogtreecommitdiffstats
path: root/cps-application
diff options
context:
space:
mode:
Diffstat (limited to 'cps-application')
-rw-r--r--cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java50
-rwxr-xr-xcps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy4
2 files changed, 41 insertions, 13 deletions
diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
index 93a3a6ed2b..aedc6a8d66 100644
--- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
@@ -2,6 +2,7 @@
* ============LICENSE_START=======================================================
* Copyright (c) 2021 Bell Canada.
* Modification Copyright (C) 2021 Pantheon.tech
+ * Modification Copyright (C) 2023 Nordix Foundation
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -22,11 +23,14 @@ package org.onap.cps.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
/**
* Configuration class to implement application security.
@@ -34,7 +38,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
*/
@Configuration
@EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
private static final String USER_ROLE = "USER";
@@ -60,23 +64,43 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
this.password = password;
}
- @Override
+ /**
+ * Return the configuration for secure access to the modules REST end points.
+ *
+ * @param http the HTTP security settings.
+ * @return the HTTP security settings.
+ */
+ @Bean
// The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
// CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
// web browsers are. CPS does not manage sessions, each request requires the authentication token in the header.
// See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
@SuppressWarnings("squid:S4502")
- protected void configure(final HttpSecurity http) throws Exception {
+ public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
http
- .csrf().disable()
- .authorizeRequests()
- .antMatchers(permitUris).permitAll()
- .anyRequest().authenticated()
- .and().httpBasic();
+ .httpBasic()
+ .and()
+ .authorizeRequests()
+ .antMatchers(permitUris).permitAll()
+ .anyRequest().authenticated()
+ .and()
+ .csrf().disable();
+
+ return http.build();
}
- @Override
- protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
- auth.inMemoryAuthentication().withUser(username).password("{noop}" + password).roles(USER_ROLE);
+ /**
+ * In memory user authentication details.
+ *
+ * @return in memory authetication
+ */
+ @Bean
+ public InMemoryUserDetailsManager userDetailsService() {
+ final UserDetails user = User.builder()
+ .username(username)
+ .password("{noop}" + password)
+ .roles(USER_ROLE)
+ .build();
+ return new InMemoryUserDetailsManager(user);
}
}
diff --git a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
index 5c255f1dac..ccadc57240 100755
--- a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
+++ b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
@@ -20,6 +20,9 @@
package org.onap.cps.rest.controller
+import org.onap.cps.config.WebSecurityConfig
+import org.springframework.context.annotation.Import
+
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
import org.springframework.beans.factory.annotation.Autowired
@@ -29,6 +32,7 @@ import org.springframework.test.web.servlet.MockMvc
import spock.lang.Specification
@WebMvcTest(TestController)
+@Import(WebSecurityConfig)
class ControllerSecuritySpec extends Specification {
@Autowired