From 16352314819e03143e91d76b3157a125d3e49f8d Mon Sep 17 00:00:00 2001 From: Denes Nemeth Date: Tue, 20 Mar 2018 11:19:03 +0100 Subject: Add spring security to mitigate cve-2017-4995 Change-Id: Iad2a48353e3cd0eb79daa10b0f274c83c89f3c93 Signed-off-by: Denes Nemeth Issue-ID: VFC-728 --- .../vnfm/svnfm/nokia/spring/SecurityConfig.java | 48 ++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java (limited to 'nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java') diff --git a/nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java b/nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java new file mode 100644 index 00000000..e3dd0714 --- /dev/null +++ b/nokiav2/driver/src/main/java/org/onap/vfc/nfvo/driver/vnfm/svnfm/nokia/spring/SecurityConfig.java @@ -0,0 +1,48 @@ +/* + * Copyright 2016-2017, Nokia Corporation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.spring; + +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + +/** + * Responsible for initializing the Spring security + */ +@Configuration +@EnableWebSecurity +public class SecurityConfig extends WebSecurityConfigurerAdapter { + + /** + * Does not configure security, but solves the https://pivotal.io/security/cve-2017-4995 + * "The fix ensures that by default only explicitly mapped classes will be deserialized. + * The effect of using explicitly mapped classes is to create a whitelist which works with all + * supported versions of Jackson. If users explicitly opt into global default typing, the previous + * potentially dangerous configuration is restored." + * + * @param http the security configuration + */ + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .anyRequest() + .permitAll(); + } + +} -- cgit 1.2.3-korg