2 * ============LICENSE_START=======================================================
3 * Copyright (C) 2021-2023 Nordix Foundation
4 * ================================================================================
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
17 * SPDX-License-Identifier: Apache-2.0
18 * ============LICENSE_END=========================================================
21 package org.onap.cps.ncmp.dmi.config;
23 import org.springframework.beans.factory.annotation.Autowired;
24 import org.springframework.beans.factory.annotation.Value;
25 import org.springframework.context.annotation.Bean;
26 import org.springframework.context.annotation.Configuration;
27 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
28 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
29 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
30 import org.springframework.security.core.userdetails.User;
31 import org.springframework.security.core.userdetails.UserDetails;
32 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
33 import org.springframework.security.web.SecurityFilterChain;
36 * Configuration class to implement application security.
37 * It enforces Basic Authentication access control.
41 public class WebSecurityConfig {
43 private static final String USER_ROLE = "USER";
45 private final String username;
46 private final String password;
47 private final String[] permitUris;
50 * Constructor. Accepts parameters from configuration.
52 * @param permitUris comma-separated list of uri patterns for endpoints permitted
53 * @param username username
54 * @param password password
56 public WebSecurityConfig(
57 @Autowired @Value("${security.permit-uri}") final String permitUris,
58 @Autowired @Value("${security.auth.username}") final String username,
59 @Autowired @Value("${security.auth.password}") final String password
62 this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}");
63 this.username = username;
64 this.password = password;
68 * Return the configuration for secure access to the modules REST end points.
70 * @param http the HTTP security settings.
71 * @return the HTTP security settings.
74 // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
75 // ncmp is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
76 // web browsers are. ncmp does not manage sessions, each request requires the authentication token in the header.
77 // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
78 @SuppressWarnings("squid:S4502")
79 public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
81 .httpBasic(httpBasicCustomizer -> {})
82 .authorizeHttpRequests(authorizeHttpRequestsCustomizer -> {
83 authorizeHttpRequestsCustomizer.requestMatchers(permitUris).permitAll();
84 authorizeHttpRequestsCustomizer.anyRequest().authenticated();
86 .csrf(AbstractHttpConfigurer::disable);
92 * In memory user authenticaion details.
94 * @return in memory authentication.
97 public InMemoryUserDetailsManager userDetailsService() {
98 final UserDetails user = User.builder()
100 .password("{noop}" + password)
103 return new InMemoryUserDetailsManager(user);