From a02274b7e4c373810a6bef6576058d4e2338c63b Mon Sep 17 00:00:00 2001 From: Cato Olsen Date: Fri, 21 Feb 2025 18:42:49 +0100 Subject: [PATCH] Updates Spring Security unprotected paths for /internal. --- .../web/config/IdportenSecurityConfig.java | 24 +++++++++---------- .../dolly/web/config/LocalSecurityConfig.java | 22 ++++++++--------- .../config/SecurityConfig.java | 5 +--- .../config/SecurityConfig.java | 9 +++---- 4 files changed, 25 insertions(+), 35 deletions(-) diff --git a/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/IdportenSecurityConfig.java b/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/IdportenSecurityConfig.java index 7a597553d66..837e59a4398 100644 --- a/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/IdportenSecurityConfig.java +++ b/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/IdportenSecurityConfig.java @@ -27,7 +27,7 @@ @Configuration @Profile("idporten") @EnableWebFluxSecurity -public class IdportenSecurityConfig { +class IdportenSecurityConfig { private static final String LOGOUT = "/logout"; private static final String LOGIN = "/login"; @@ -46,7 +46,7 @@ public IdportenSecurityConfig( } @Bean - public ServerOAuth2AuthorizationRequestResolver pkceResolver(ReactiveClientRegistrationRepository repo) { + ServerOAuth2AuthorizationRequestResolver pkceResolver(ReactiveClientRegistrationRepository repo) { var resolver = new DefaultServerOAuth2AuthorizationRequestResolver(repo); resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce()); return resolver; @@ -54,7 +54,7 @@ public ServerOAuth2AuthorizationRequestResolver pkceResolver(ReactiveClientRegis @SneakyThrows @Bean - public SecurityWebFilterChain configure(ServerHttpSecurity http, ServerOAuth2AuthorizationRequestResolver requestResolver) { + SecurityWebFilterChain configure(ServerHttpSecurity http, ServerOAuth2AuthorizationRequestResolver requestResolver) { var authenticationSuccessHandler = new DollyAuthenticationSuccessHandler(); var authenticationManager = new AuthorizationCodeReactiveAuthenticationManger(JWK.parse(jwk)); var logoutSuccessHandler = new LogoutSuccessHandler(); @@ -64,19 +64,17 @@ public SecurityWebFilterChain configure(ServerHttpSecurity http, ServerOAuth2Aut .cors(ServerHttpSecurity.CorsSpec::disable) .csrf(ServerHttpSecurity.CsrfSpec::disable) .authorizeExchange(authorizeExchangeSpec -> authorizeExchangeSpec.pathMatchers( - "/internal/isReady", - "/internal/isAlive", - "/assets/*", - "/internal/metrics", - "/oauth2/callback", - "/favicon.ico", - LOGIN, - LOGOUT, - "/oauth2/logout", "/*.css", "/*.js", "/*.mjs", - "/*.png" + "/*.png", + "/assets/*", + "/favicon.ico", + "/internal/**", + "/oauth2/callback", + "/oauth2/logout", + LOGIN, + LOGOUT ).permitAll() .anyExchange().authenticated()) .oauth2Login(oAuth2LoginSpec -> oAuth2LoginSpec diff --git a/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/LocalSecurityConfig.java b/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/LocalSecurityConfig.java index 2fdf751b210..ae44e031c9b 100644 --- a/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/LocalSecurityConfig.java +++ b/apps/dolly-frontend/src/main/java/no/nav/dolly/web/config/LocalSecurityConfig.java @@ -18,33 +18,31 @@ @Configuration @Profile("local") @EnableWebFluxSecurity -public class LocalSecurityConfig { +class LocalSecurityConfig { private static final String LOGOUT = "/logout"; private static final String LOGIN = "/login"; @SneakyThrows @Bean - public SecurityWebFilterChain configure(ServerHttpSecurity http) { + SecurityWebFilterChain configure(ServerHttpSecurity http) { var authenticationSuccessHandler = new DollyAuthenticationSuccessHandler(); var logoutSuccessHandler = new LogoutSuccessHandler(); return http.cors(ServerHttpSecurity.CorsSpec::disable) .csrf(ServerHttpSecurity.CsrfSpec::disable) .authorizeExchange(authorizeExchangeSpec -> authorizeExchangeSpec.pathMatchers( - "/internal/isReady", - "/internal/isAlive", - "/assets/*", - "/internal/metrics", - "/oauth2/callback", - "/favicon.ico", - LOGIN, - LOGOUT, - "/oauth2/logout", "/*.css", "/*.js", "/*.mjs", - "/*.png" + "/*.png", + "/assets/*", + "/favicon.ico", + "/internal/**", + "/oauth2/callback", + "/oauth2/logout", + LOGIN, + LOGOUT ).permitAll() .anyExchange().authenticated()) .oauth2Login(oAuth2LoginSpec -> oAuth2LoginSpec diff --git a/apps/endringsmelding-frontend/src/main/java/no/nav/testnav/apps/endringsmeldingfrontend/config/SecurityConfig.java b/apps/endringsmelding-frontend/src/main/java/no/nav/testnav/apps/endringsmeldingfrontend/config/SecurityConfig.java index 2a4acc7a187..4855eb08d60 100644 --- a/apps/endringsmelding-frontend/src/main/java/no/nav/testnav/apps/endringsmeldingfrontend/config/SecurityConfig.java +++ b/apps/endringsmelding-frontend/src/main/java/no/nav/testnav/apps/endringsmeldingfrontend/config/SecurityConfig.java @@ -16,10 +16,7 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { .cors(ServerHttpSecurity.CorsSpec::disable) .csrf(ServerHttpSecurity.CsrfSpec::disable) .authorizeExchange(spec -> spec - .pathMatchers( - "/internal/isReady", - "/internal/isAlive", - "/internal/metrics") + .pathMatchers("/internal/**") .permitAll() .anyExchange() .authenticated()) diff --git a/apps/faste-data-frontend/src/main/java/no/nav/testnav/apps/fastedatafrontend/config/SecurityConfig.java b/apps/faste-data-frontend/src/main/java/no/nav/testnav/apps/fastedatafrontend/config/SecurityConfig.java index faa8957bf60..42e7f440358 100644 --- a/apps/faste-data-frontend/src/main/java/no/nav/testnav/apps/fastedatafrontend/config/SecurityConfig.java +++ b/apps/faste-data-frontend/src/main/java/no/nav/testnav/apps/fastedatafrontend/config/SecurityConfig.java @@ -11,17 +11,14 @@ @EnableWebFluxSecurity @EnableReactiveMethodSecurity @Configuration -public class SecurityConfig { +class SecurityConfig { @Bean - public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { + SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http .csrf(ServerHttpSecurity.CsrfSpec::disable) .authorizeExchange(spec -> spec - .pathMatchers( - "/internal/isReady", - "/internal/isAlive", - "/internal/metrics") + .pathMatchers("/internal/**") .permitAll() .anyExchange() .authenticated())