diff options
Diffstat (limited to 'nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java')
-rw-r--r-- | nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java b/nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java index e3dd0714..708376d1 100644 --- a/nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java +++ b/nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java @@ -18,6 +18,7 @@ package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.spring; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @@ -45,4 +46,18 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { .permitAll(); } + /** + * Does not configure security, but solves the https://pivotal.io/security/cve-2017-4995 + * "The fix ensures that by default only explicitly mapped classes will be deserialized. + * The effect of using explicitly mapped classes is to create a whitelist which works with all + * supported versions of Jackson. If users explicitly opt into global default typing, the previous + * potentially dangerous configuration is restored." + * + * @param web the web security configuration + */ + @Override + public void configure(WebSecurity web) throws Exception { + web.ignoring().anyRequest(); + } + } |