From: Bruno Sakoto Date: Wed, 10 Mar 2021 18:13:50 +0000 (-0500) Subject: Suppress csrf sonar security hotspot warning X-Git-Tag: 1.1.0~106 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=99f0f0be7cc540dd32aacc770468d73444bcfb18;p=cps.git Suppress csrf sonar security hotspot warning Issue-ID: CPS-285 Signed-off-by: Bruno Sakoto Change-Id: I95d2b7d48714d21e2cdcaab36f3ba9903f0b5342 --- diff --git a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java index 943e02c273..5538341118 100644 --- a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java +++ b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java @@ -44,6 +44,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { private static final String USER_ROLE = "USER"; @Override + // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation. + // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in + // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header. + // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf + @SuppressWarnings("squid:S4502") protected void configure(final HttpSecurity http) throws Exception { http .csrf().disable()