2 * ============LICENSE_START=======================================================
3 * Copyright (c) 2021 Bell Canada.
4 * Modification Copyright (C) 2021 Pantheon.tech
5 * Modification Copyright (C) 2023 Nordix Foundation
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
18 * SPDX-License-Identifier: Apache-2.0
19 * ============LICENSE_END=========================================================
22 package org.onap.cps.config;
24 import org.springframework.beans.factory.annotation.Autowired;
25 import org.springframework.beans.factory.annotation.Value;
26 import org.springframework.context.annotation.Bean;
27 import org.springframework.context.annotation.Configuration;
28 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
29 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
30 import org.springframework.security.core.userdetails.User;
31 import org.springframework.security.core.userdetails.UserDetails;
32 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
33 import org.springframework.security.web.SecurityFilterChain;
36 * Configuration class to implement application security.
37 * It enforces Basic Authentication access control.
41 public class WebSecurityConfig {
43 private static final String USER_ROLE = "USER";
45 private final String username;
46 private final String password;
47 private final String[] permitUris;
50 * Constructor. Accepts parameters from configuration.
52 * @param permitUris comma-separated list of uri patterns for endpoints permitted
53 * @param username username
54 * @param password password
56 public WebSecurityConfig(
57 @Autowired @Value("${permit-uri}") final String permitUris,
58 @Autowired @Value("${security.auth.username}") final String username,
59 @Autowired @Value("${security.auth.password}") final String password
62 this.permitUris = permitUris.isEmpty() ? new String[] {"/v3/api-docs"} : permitUris.split("\\s{0,9},\\s{0,9}");
63 this.username = username;
64 this.password = password;
68 * Return the configuration for secure access to the modules REST end points.
70 * @param http the HTTP security settings.
71 * @return the HTTP security settings.
74 // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
75 // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
76 // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header.
77 // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
78 @SuppressWarnings("squid:S4502")
79 public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
83 .authorizeHttpRequests()
84 .requestMatchers(permitUris).permitAll()
85 .anyRequest().authenticated()
93 * In memory user authentication details.
95 * @return in memory authetication
98 public InMemoryUserDetailsManager userDetailsService() {
99 final UserDetails user = User.builder()
101 .password("{noop}" + password)
104 return new InMemoryUserDetailsManager(user);
Code Review / cps.git / blob