From: Toine Siebelink <toine.siebelink@est.tech>
Date: Tue, 20 Jun 2023 07:30:56 +0000 (+0000)
Subject: Merge "Replace deprecated WebSecurityConfigurerAdapter"
X-Git-Tag: 3.3.3~35
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=cbf4044e840ea9473cd42f0a47c53dcafee8ba94;hp=fa81dc934ef7e9649aca9c6bdcdc611f28d6fe0d;p=cps.git

Merge "Replace deprecated WebSecurityConfigurerAdapter"
---

diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
index 93a3a6ed2..aedc6a8d6 100644
--- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java
@@ -2,6 +2,7 @@
  *  ============LICENSE_START=======================================================
  *  Copyright (c) 2021 Bell Canada.
  *  Modification Copyright (C) 2021 Pantheon.tech
+ *  Modification Copyright (C) 2023 Nordix Foundation
  *  ================================================================================
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -22,11 +23,14 @@ package org.onap.cps.config;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
 
 /**
  * Configuration class to implement application security.
@@ -34,7 +38,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
  */
 @Configuration
 @EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+public class WebSecurityConfig {
 
     private static final String USER_ROLE = "USER";
 
@@ -60,23 +64,43 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         this.password = password;
     }
 
-    @Override
+    /**
+     * Return the configuration for secure access to the modules REST end points.
+     *
+     * @param http the HTTP security settings.
+     * @return the HTTP security settings.
+     */
+    @Bean
     // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
     // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
     // web browsers are. CPS  does not manage sessions, each request requires the authentication token in the header.
     // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
     @SuppressWarnings("squid:S4502")
-    protected void configure(final HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
         http
-            .csrf().disable()
-            .authorizeRequests()
-            .antMatchers(permitUris).permitAll()
-            .anyRequest().authenticated()
-            .and().httpBasic();
+                .httpBasic()
+                .and()
+                .authorizeRequests()
+                .antMatchers(permitUris).permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .csrf().disable();
+
+        return http.build();
     }
 
-    @Override
-    protected void configure(final AuthenticationManagerBuilder auth) throws Exception {
-        auth.inMemoryAuthentication().withUser(username).password("{noop}" + password).roles(USER_ROLE);
+    /**
+     * In memory user authentication details.
+     *
+     * @return in memory authetication
+     */
+    @Bean
+    public InMemoryUserDetailsManager userDetailsService() {
+        final UserDetails user = User.builder()
+                .username(username)
+                .password("{noop}" + password)
+                .roles(USER_ROLE)
+                .build();
+        return new InMemoryUserDetailsManager(user);
     }
 }
diff --git a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
index 5c255f1da..ccadc5724 100755
--- a/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
+++ b/cps-application/src/test/groovy/org/onap/cps/rest/controller/ControllerSecuritySpec.groovy
@@ -20,6 +20,9 @@
 
 package org.onap.cps.rest.controller
 
+import org.onap.cps.config.WebSecurityConfig
+import org.springframework.context.annotation.Import
+
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
 
 import org.springframework.beans.factory.annotation.Autowired
@@ -29,6 +32,7 @@ import org.springframework.test.web.servlet.MockMvc
 import spock.lang.Specification
 
 @WebMvcTest(TestController)
+@Import(WebSecurityConfig)
 class ControllerSecuritySpec extends Specification {
 
     @Autowired