github-code-scanning[bot] commented on code in PR #362:
URL: https://github.com/apache/syncope/pull/362#discussion_r922311353
##########
core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java:
##########
@@ -74,66 +75,65 @@
}
@Bean
- public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(
- final ApplicationContext ctx,
+ public WebSecurityCustomizer webSecurityCustomizer(final HttpFirewall
allowUrlEncodedSlashHttpFirewall) {
+ return web -> web.httpFirewall(allowUrlEncodedSlashHttpFirewall);
+ }
+
+ @Bean
+ public SecurityFilterChain filterChain(
+ final HttpSecurity http,
+ final UsernamePasswordAuthenticationProvider
usernamePasswordAuthenticationProvider,
+ final JWTAuthenticationProvider jwtAuthenticationProvider,
final SecurityProperties securityProperties,
- final HttpFirewall allowUrlEncodedSlashHttpFirewall) {
-
- return new WebSecurityConfigurerAdapter(true) {
-
- @Override
- public void configure(final WebSecurity web) {
- web.httpFirewall(allowUrlEncodedSlashHttpFirewall);
- }
-
- @Override
- protected void configure(final HttpSecurity http) throws Exception
{
- SyncopeAuthenticationDetailsSource authenticationDetailsSource
=
- new SyncopeAuthenticationDetailsSource();
-
- AnonymousAuthenticationProvider
anonymousAuthenticationProvider =
- new
AnonymousAuthenticationProvider(ANONYMOUS_BEAN_KEY);
- AnonymousAuthenticationFilter anonymousAuthenticationFilter =
- new AnonymousAuthenticationFilter(
- ANONYMOUS_BEAN_KEY,
- securityProperties.getAnonymousUser(),
-
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
-
anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
-
- SyncopeBasicAuthenticationEntryPoint
basicAuthenticationEntryPoint =
- new SyncopeBasicAuthenticationEntryPoint();
- basicAuthenticationEntryPoint.setRealmName("Apache Syncope
authentication");
-
- JWTAuthenticationFilter jwtAuthenticationFilter = new
JWTAuthenticationFilter(
- authenticationManager(),
- basicAuthenticationEntryPoint,
- authenticationDetailsSource,
- ctx.getBean(AuthDataAccessor.class),
- ctx.getBean(DefaultCredentialChecker.class));
-
- http.authorizeRequests().
- antMatchers("/**").permitAll().and().
-
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
- securityContext().securityContextRepository(new
NullSecurityContextRepository()).and().
- anonymous().
-
authenticationProvider(anonymousAuthenticationProvider).
-
authenticationFilter(anonymousAuthenticationFilter).and().
-
httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
-
authenticationDetailsSource(authenticationDetailsSource).and().
-
exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
- addFilterBefore(jwtAuthenticationFilter,
BasicAuthenticationFilter.class).
- addFilterBefore(new MustChangePasswordFilter(),
FilterSecurityInterceptor.class).
- headers().disable().
- csrf().disable();
- }
-
- @Override
- protected void configure(final AuthenticationManagerBuilder
builder) throws Exception {
- builder.
-
authenticationProvider(ctx.getBean(UsernamePasswordAuthenticationProvider.class)).
-
authenticationProvider(ctx.getBean(JWTAuthenticationProvider.class));
- }
- };
+ final ApplicationContext ctx) throws Exception {
+
+ AuthenticationManager authenticationManager =
http.getSharedObject(AuthenticationManagerBuilder.class).
+ authenticationProvider(usernamePasswordAuthenticationProvider).
+ authenticationProvider(jwtAuthenticationProvider).
+ build();
+
+ SyncopeAuthenticationDetailsSource authenticationDetailsSource =
+ new SyncopeAuthenticationDetailsSource();
+
+ AnonymousAuthenticationProvider anonymousAuthenticationProvider =
+ new AnonymousAuthenticationProvider(ANONYMOUS_BEAN_KEY);
+ AnonymousAuthenticationFilter anonymousAuthenticationFilter =
+ new AnonymousAuthenticationFilter(
+ ANONYMOUS_BEAN_KEY,
+ securityProperties.getAnonymousUser(),
+ AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
+
anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
+
+ SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint =
+ new SyncopeBasicAuthenticationEntryPoint();
+ basicAuthenticationEntryPoint.setRealmName("Apache Syncope
authentication");
+
+ JWTAuthenticationFilter jwtAuthenticationFilter = new
JWTAuthenticationFilter(
+ authenticationManager,
+ basicAuthenticationEntryPoint,
+ authenticationDetailsSource,
+ ctx.getBean(AuthDataAccessor.class),
+ ctx.getBean(DefaultCredentialChecker.class));
+
+ MustChangePasswordFilter mustChangePasswordFilter = new
MustChangePasswordFilter();
+
+ http.authenticationManager(authenticationManager).
+ authorizeRequests().
+ antMatchers("/**").permitAll().and().
+
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
+ securityContext().securityContextRepository(new
NullSecurityContextRepository()).and().
+ anonymous().
+ authenticationProvider(anonymousAuthenticationProvider).
+ authenticationFilter(anonymousAuthenticationFilter).and().
+
httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
+ authenticationDetailsSource(authenticationDetailsSource).and().
+
exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
+ addFilterBefore(jwtAuthenticationFilter,
BasicAuthenticationFilter.class).
+ addFilterBefore(mustChangePasswordFilter,
FilterSecurityInterceptor.class).
+ headers().disable().
+ csrf().disable();
Review Comment:
## Disabled Spring CSRF protection
CSRF vulnerability due to protection being disabled.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1119)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
