Suppress csrf sonar security hotspot warning

author Bruno Sakoto <bruno.sakoto@bell.ca>

Wed, 10 Mar 2021 18:13:50 +0000 (13:13 -0500)

committer Toine Siebelink <toine.siebelink@est.tech>

Thu, 11 Mar 2021 14:28:35 +0000 (14:28 +0000)
author Bruno Sakoto <bruno.sakoto@bell.ca>
Wed, 10 Mar 2021 18:13:50 +0000 (13:13 -0500)
committer Toine Siebelink <toine.siebelink@est.tech>
Thu, 11 Mar 2021 14:28:35 +0000 (14:28 +0000)
diff --git a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java

index 943e02c..5538341 100644 (file)
--- a/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
+++ b/cps-rest/src/main/java/org/onap/cps/config/WebSecurityConfig.java
@@ -44,6 +44,11 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
      private static final String USER_ROLE = "USER";
  
      @Override
+    // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation.
+    // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in
+    // web browsers are. CPS  does not manage sessions, each request requires the authentication token in the header.
+    // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf
+    @SuppressWarnings("squid:S4502")
      protected void configure(final HttpSecurity http) throws Exception {
          http
                  .csrf().disable()
author	Bruno Sakoto <bruno.sakoto@bell.ca>
	Wed, 10 Mar 2021 18:13:50 +0000 (13:13 -0500)
committer	Toine Siebelink <toine.siebelink@est.tech>
	Thu, 11 Mar 2021 14:28:35 +0000 (14:28 +0000)