diff options
3 files changed, 43 insertions, 15 deletions
diff --git a/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java b/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java index a51d4862..1eb9523d 100644 --- a/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java +++ b/src/main/java/org/onap/cps/ncmp/dmi/config/WebSecurityConfig.java @@ -1,6 +1,6 @@ /* * ============LICENSE_START======================================================= - * Copyright (C) 2021 Nordix Foundation + * Copyright (C) 2021-2023 Nordix Foundation * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,11 +22,14 @@ package org.onap.cps.ncmp.dmi.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; /** * Configuration class to implement application security. @@ -34,7 +37,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur */ @Configuration @EnableWebSecurity -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { +public class WebSecurityConfig { private static final String USER_ROLE = "USER"; @@ -60,23 +63,43 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { this.password = password; } - @Override + /** + * Return the configuration for secure access to the modules REST end points. + * + * @param http the HTTP security settings. + * @return the HTTP security settings. + */ + @Bean // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation. // ncmp is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in // web browsers are. ncmp does not manage sessions, each request requires the authentication token in the header. // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf @SuppressWarnings("squid:S4502") - protected void configure(final HttpSecurity http) throws Exception { + public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception { http - .csrf().disable() - .authorizeRequests() - .antMatchers(permitUris).permitAll() - .anyRequest().authenticated() - .and().httpBasic(); + .httpBasic() + .and() + .authorizeRequests() + .antMatchers(permitUris).permitAll() + .anyRequest().authenticated() + .and() + .csrf().disable(); + + return http.build(); } - @Override - protected void configure(final AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication().withUser(username).password("{noop}" + password).roles(USER_ROLE); + /** + * In memory user authenticaion details. + * + * @return in memory authentication. + */ + @Bean + public InMemoryUserDetailsManager userDetailsService() { + final UserDetails user = User.builder() + .username(username) + .password("{noop}" + password) + .roles(USER_ROLE) + .build(); + return new InMemoryUserDetailsManager(user); } } diff --git a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy index 67de1b93..3f5d4a80 100644 --- a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy +++ b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/ControllerSecuritySpec.groovy @@ -1,6 +1,6 @@ /* * ============LICENSE_START======================================================= - * Copyright (C) 2021-2022 Nordix Foundation + * Copyright (C) 2021-2023 Nordix Foundation * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,6 +21,7 @@ package org.onap.cps.ncmp.dmi.rest.controller import org.onap.cps.ncmp.dmi.config.WebSecurityConfig +import org.springframework.context.annotation.Import import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get @@ -31,6 +32,7 @@ import org.springframework.test.web.servlet.MockMvc import spock.lang.Specification @WebMvcTest(controllers = TestController.class) +@Import(WebSecurityConfig) class ControllerSecuritySpec extends Specification { @Autowired diff --git a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy index 5caef07f..96c1ed8e 100644 --- a/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy +++ b/src/test/groovy/org/onap/cps/ncmp/dmi/rest/controller/DmiRestControllerSpec.groovy @@ -23,6 +23,7 @@ package org.onap.cps.ncmp.dmi.rest.controller import org.onap.cps.ncmp.dmi.TestUtils +import org.onap.cps.ncmp.dmi.config.WebSecurityConfig import org.onap.cps.ncmp.dmi.exception.DmiException import org.onap.cps.ncmp.dmi.exception.ModuleResourceNotFoundException import org.onap.cps.ncmp.dmi.exception.ModulesNotFoundException @@ -39,6 +40,7 @@ import org.spockframework.spring.SpringBean import org.springframework.beans.factory.annotation.Autowired import org.springframework.beans.factory.annotation.Value import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest +import org.springframework.context.annotation.Import import org.springframework.http.HttpStatus import org.springframework.http.MediaType import org.springframework.kafka.core.KafkaTemplate @@ -57,6 +59,7 @@ import static org.onap.cps.ncmp.dmi.model.DataAccessRequest.OperationEnum.UPDATE import static org.springframework.http.HttpStatus.CREATED import static org.springframework.http.HttpStatus.OK +@Import(WebSecurityConfig) @WebMvcTest(DmiRestController.class) @WithMockUser class DmiRestControllerSpec extends Specification { |