X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cps-application%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fcps%2Fconfig%2FWebSecurityConfig.java;h=c8b2509637e6e0beaa396711dff85c8ac4730a0f;hb=a01f8861a84931f4bdf2d69fa05a793afabc22e0;hp=fbf1be9a1837ac6f00821d94c03d07a79c1a18cb;hpb=0d6bbae9baa4531f5b5c3009fa72e691cf30fe41;p=cps.git

diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
index fbf1be9a1..c8b250963 100644
--- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
@@ -2,6 +2,7 @@
  *  ============LICENSE_START=======================================================
  *  Copyright (c) 2021 Bell Canada.
  *  Modification Copyright (C) 2021 Pantheon.tech
+ *  Modification Copyright (C) 2023 Nordix Foundation
  *  ================================================================================
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -22,11 +23,14 @@ package org.onap.cps.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * Configuration class to implement application security.
@@ -34,7 +38,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
  */
 @Configuration
 @EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
     private static final String USER_ROLE = "USER";
 
@@ -50,33 +54,53 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      * @param password   password
      */
     public WebSecurityConfig(
-        @Autowired @Value("${security.permit-uri}") final String permitUris,
+        @Autowired @Value("${permit-uri}") final String permitUris,
         @Autowired @Value("${security.auth.username}") final String username,
         @Autowired @Value("${security.auth.password}") final String password
     ) {
         super();
-        this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s*,\\s*");
+        this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}");
         this.username = username;
         this.password = password;
     }
 
-    @Override
+    /**
+     * Return the configuration for secure access to the modules REST end points.
+     *
+     * @param http the HTTP security settings.
+     * @return the HTTP security settings.
+     */
+    @Bean
     // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
     // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
     // web browsers are. CPS  does not manage sessions, each request requires the authentication token in the header.
     // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
     @SuppressWarnings("squid:S4502")
-    protected void configure(final HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
         http
-            .csrf().disable()
-            .authorizeRequests()
-            .antMatchers(permitUris).permitAll()
-            .anyRequest().authenticated()
-            .and().httpBasic();
+                .httpBasic()
+                .and()
+                .authorizeHttpRequests()
+                .requestMatchers(permitUris).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .csrf().disable();
+
+        return http.build();
     }
 
-    @Override
-    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
-        auth.inMemoryAuthentication().withUser(username).password("{noop}" + password).roles(USER_ROLE);
+    /**
+     * In memory user authentication details.
+     *
+     * @return in memory authetication
+     */
+    @Bean
+    public InMemoryUserDetailsManager userDetailsService() {
+        final UserDetails user = User.builder()
+                .username(username)
+                .password("{noop}" + password)
+                .roles(USER_ROLE)
+                .build();
+        return new InMemoryUserDetailsManager(user);
     }
 }