2 * ============LICENSE_START=======================================================
3 * Copyright (c) 2021 Bell Canada.
4 * Modification Copyright (C) 2021 Pantheon.tech
5 * Modification Copyright (C) 2023 Nordix Foundation
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
18 * SPDX-License-Identifier: Apache-2.0
19 * ============LICENSE_END=========================================================
22 package org.onap.cps.config;
24 import org.springframework.beans.factory.annotation.Autowired;
25 import org.springframework.beans.factory.annotation.Value;
26 import org.springframework.context.annotation.Bean;
27 import org.springframework.context.annotation.Configuration;
28 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
29 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
30 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
31 import org.springframework.security.core.userdetails.User;
32 import org.springframework.security.core.userdetails.UserDetails;
33 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
34 import org.springframework.security.web.SecurityFilterChain;
37 * Configuration class to implement application security.
38 * It enforces Basic Authentication access control.
42 public class WebSecurityConfig {
43 private static final String USER_ROLE = "USER";
44 private final String username;
45 private final String password;
46 private final String[] permitUris;
49 * Constructor. Accepts parameters from configuration.
51 * @param permitUris comma-separated list of uri patterns for endpoints permitted
52 * @param username username
53 * @param password password
55 public WebSecurityConfig(
56 @Autowired @Value("${permit-uri}") final String permitUris,
57 @Autowired @Value("${security.auth.username}") final String username,
58 @Autowired @Value("${security.auth.password}") final String password
61 this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}");
62 this.username = username;
63 this.password = password;
67 * Return the configuration for secure access to the modules REST end points.
69 * @param http the HTTP security settings.
70 * @return the HTTP security settings.
73 // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
74 // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
75 // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header.
76 // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
77 @SuppressWarnings("squid:S4502")
78 public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
80 .httpBasic(httpBasicCustomizer -> {})
81 .authorizeHttpRequests(authorizeHttpRequestsCustomizer -> {
82 authorizeHttpRequestsCustomizer.requestMatchers(permitUris).permitAll();
83 authorizeHttpRequestsCustomizer.anyRequest().authenticated();
85 .csrf(AbstractHttpConfigurer::disable);
90 * In memory user authentication details.
92 * @return in memory authentication
95 public InMemoryUserDetailsManager userDetailsService() {
96 final UserDetails user = User.builder()
98 .password("{noop}" + password)
101 return new InMemoryUserDetailsManager(user);