2 * ============LICENSE_START=======================================================
3 * Copyright (c) 2021 Bell Canada.
4 * Modification Copyright (C) 2021 Pantheon.tech
5 * Modification Copyright (C) 2023 Nordix Foundation
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
18 * SPDX-License-Identifier: Apache-2.0
19 * ============LICENSE_END=========================================================
22 package org.onap.cps.config;
24 import org.springframework.beans.factory.annotation.Autowired;
25 import org.springframework.beans.factory.annotation.Value;
26 import org.springframework.context.annotation.Bean;
27 import org.springframework.context.annotation.Configuration;
28 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
29 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
30 import org.springframework.security.core.userdetails.User;
31 import org.springframework.security.core.userdetails.UserDetails;
32 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
33 import org.springframework.security.web.SecurityFilterChain;
36 * Configuration class to implement application security.
37 * It enforces Basic Authentication access control.
41 public class WebSecurityConfig {
42 private static final String USER_ROLE = "USER";
43 private final String username;
44 private final String password;
45 private final String[] permitUris;
48 * Constructor. Accepts parameters from configuration.
50 * @param permitUris comma-separated list of uri patterns for endpoints permitted
51 * @param username username
52 * @param password password
54 public WebSecurityConfig(
55 @Autowired @Value("${permit-uri}") final String permitUris,
56 @Autowired @Value("${security.auth.username}") final String username,
57 @Autowired @Value("${security.auth.password}") final String password
60 this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}");
61 this.username = username;
62 this.password = password;
66 * Return the configuration for secure access to the modules REST end points.
68 * @param http the HTTP security settings.
69 * @return the HTTP security settings.
72 // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
73 // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
74 // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header.
75 // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
76 @SuppressWarnings("squid:S4502")
77 public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
81 .authorizeHttpRequests()
82 .requestMatchers(permitUris).permitAll()
83 .anyRequest().authenticated()
90 * In memory user authentication details.
92 * @return in memory authetication
95 public InMemoryUserDetailsManager userDetailsService() {
96 final UserDetails user = User.builder()
98 .password("{noop}" + password)
101 return new InMemoryUserDetailsManager(user);