github-advanced-security[bot] commented on code in PR #7940:
URL: https://github.com/apache/geode/pull/7940#discussion_r2430964547
##########
geode-pulse/src/main/java/org/apache/geode/tools/pulse/internal/security/DefaultSecurityConfig.java:
##########
@@ -85,24 +107,22 @@
.exceptionHandling(exception -> exception
.accessDeniedPage("/accessDenied.html"))
.headers(header -> header
- .frameOptions().deny()
- .xssProtection(xss -> xss
- .xssProtectionEnabled(true)
- .block(true))
- .contentTypeOptions())
- .csrf().disable();
+ .frameOptions(frameOptions -> frameOptions.deny())
+ .xssProtection(xss -> xss.headerValue(
+
org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))
+ .contentTypeOptions(contentTypeOptions -> {
+ }))
+ .csrf(csrf -> csrf.disable());
Review Comment:
## Disabled Spring CSRF protection
CSRF vulnerability due to protection being disabled.
[Show more
details](https://github.com/apache/geode/security/code-scanning/119)
##########
geode-pulse/src/main/java/org/apache/geode/tools/pulse/internal/security/OAuthSecurityConfig.java:
##########
@@ -58,11 +78,12 @@
.addLogoutHandler(repositoryLogoutHandler)
.logoutSuccessHandler(oidcLogoutHandler))
.headers(header -> header
- .frameOptions().deny()
- .xssProtection(xss -> xss
- .xssProtectionEnabled(true)
- .block(true))
- .contentTypeOptions())
- .csrf().disable();
+ .frameOptions(frameOptions -> frameOptions.deny())
+ .xssProtection(xss -> xss.headerValue(
+
org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))
+ .contentTypeOptions(contentTypeOptions -> {
+ }))
+ .csrf(csrf -> csrf.disable());
Review Comment:
## Disabled Spring CSRF protection
CSRF vulnerability due to protection being disabled.
[Show more
details](https://github.com/apache/geode/security/code-scanning/120)
##########
geode-web-management/src/main/java/org/apache/geode/management/internal/rest/security/RestSecurityConfiguration.java:
##########
@@ -16,98 +16,157 @@
import java.io.IOException;
-import java.util.Arrays;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AuthenticationManager;
-import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import
org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.authentication.ProviderManager;
+import
org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.SecurityFilterChain;
import
org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.multipart.MultipartResolver;
-import org.springframework.web.multipart.commons.CommonsMultipartResolver;
+import
org.springframework.web.multipart.support.StandardServletMultipartResolver;
import org.apache.geode.management.api.ClusterManagementResult;
-import org.apache.geode.management.configuration.Links;
+/**
+ * Spring Security 6.x migration changes:
+ *
+ * <p>
+ * <b>Architecture Changes:</b>
+ * </p>
+ * <ul>
+ * <li>WebSecurityConfigurerAdapter → Component-based configuration (adapter
deprecated in Spring
+ * Security 5.7, removed in 6.0)</li>
+ * <li>Override methods → Bean-based SecurityFilterChain configuration</li>
+ * <li>ProviderManager constructor replaces AuthenticationManagerBuilder
pattern</li>
+ * </ul>
+ *
+ * <p>
+ * <b>API Modernization:</b>
+ * </p>
+ * <ul>
+ * <li>@EnableGlobalMethodSecurity → @EnableMethodSecurity (new annotation
name)</li>
+ * <li>antMatchers() → requestMatchers() with AntPathRequestMatcher
(deprecated method removed)</li>
+ * <li>Method chaining (.and()) → Lambda DSL configuration (modern fluent
API)</li>
+ * <li>authorizeRequests() → authorizeHttpRequests() (new method name)</li>
+ * </ul>
+ *
+ * <p>
+ * <b>Multipart Resolver:</b>
+ * </p>
+ * <ul>
+ * <li>CommonsMultipartResolver → StandardServletMultipartResolver</li>
+ * <li>Reason: Spring 6.x standardized on Servlet 3.0+ native multipart
support</li>
+ * <li>Note: Custom isMultipart() logic removed -
StandardServletMultipartResolver handles PUT/POST
+ * automatically</li>
+ * </ul>
+ *
+ * <p>
+ * <b>JWT Authentication Failure Handler:</b>
+ * </p>
+ * <ul>
+ * <li>Added explicit error response handling in
authenticationFailureHandler</li>
+ * <li>Returns proper HTTP 401 with JSON ClusterManagementResult for
UNAUTHENTICATED status</li>
+ * <li>Previously relied on default behavior; now explicitly defined for
clarity</li>
+ * </ul>
+ *
+ * <p>
+ * <b>Security Filter Chain:</b>
+ * </p>
+ * <ul>
+ * <li>configure(HttpSecurity) → filterChain(HttpSecurity) returning
SecurityFilterChain</li>
+ * <li>SecurityFilterChain bean is Spring Security 6.x's recommended
approach</li>
+ * <li>setAuthenticationManager() explicitly called on JwtAuthenticationFilter
(required in
+ * 6.x)</li>
+ * </ul>
+ */
@Configuration
@EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true)
+@EnableMethodSecurity(prePostEnabled = true)
// this package name needs to be different than the admin rest controller's
package name
// otherwise this component scan will pick up the admin rest controllers as
well.
@ComponentScan("org.apache.geode.management.internal.rest")
-public class RestSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class RestSecurityConfiguration {
@Autowired
private GeodeAuthenticationProvider authProvider;
@Autowired
private ObjectMapper objectMapper;
- @Override
- protected void configure(AuthenticationManagerBuilder auth) {
- auth.authenticationProvider(authProvider);
- }
-
@Bean
- @Override
- public AuthenticationManager authenticationManagerBean() throws Exception {
- return super.authenticationManagerBean();
+ public AuthenticationManager authenticationManager() {
+ return new ProviderManager(authProvider);
}
@Bean
public MultipartResolver multipartResolver() {
- return new CommonsMultipartResolver() {
- @Override
- public boolean isMultipart(HttpServletRequest request) {
- String method = request.getMethod().toLowerCase();
- // By default, only POST is allowed. Since this is an 'update' we
should accept PUT.
- if (!Arrays.asList("put", "post").contains(method)) {
- return false;
- }
- String contentType = request.getContentType();
- return (contentType != null &&
contentType.toLowerCase().startsWith("multipart/"));
- }
- };
+ // Spring 6.x uses StandardServletMultipartResolver instead of
CommonsMultipartResolver
+ return new StandardServletMultipartResolver();
}
- protected void configure(HttpSecurity http) throws Exception {
-
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
- .authorizeRequests()
- .antMatchers("/docs/**", "/swagger-ui.html", "/swagger-ui/index.html",
"/swagger-ui/**",
- "/", Links.URI_VERSION + "/api-docs/**",
"/webjars/springdoc-openapi-ui/**",
- "/v3/api-docs/**", "/swagger-resources/**")
- .permitAll()
- .and().csrf().disable();
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ http.sessionManagement(
+ session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+ .authorizeHttpRequests(authorize -> authorize
+ .requestMatchers(new AntPathRequestMatcher("/docs/**"),
+ new AntPathRequestMatcher("/swagger-ui.html"),
+ new AntPathRequestMatcher("/swagger-ui/index.html"),
+ new AntPathRequestMatcher("/swagger-ui/**"),
+ new AntPathRequestMatcher("/"),
+ new AntPathRequestMatcher("/v1/api-docs/**"),
+ new AntPathRequestMatcher("/webjars/springdoc-openapi-ui/**"),
+ new AntPathRequestMatcher("/v3/api-docs/**"),
+ new AntPathRequestMatcher("/swagger-resources/**"))
+ .permitAll())
+ .csrf(csrf -> csrf.disable());
Review Comment:
## Disabled Spring CSRF protection
CSRF vulnerability due to protection being disabled.
[Show more
details](https://github.com/apache/geode/security/code-scanning/122)
##########
geode-web-api/src/main/java/org/apache/geode/rest/internal/web/security/RestSecurityConfiguration.java:
##########
@@ -19,47 +19,67 @@
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
-import
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import
org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.authentication.ProviderManager;
+import
org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import
org.springframework.security.config.annotation.web.builders.HttpSecurity;
import
org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
-import org.apache.geode.management.configuration.Links;
@Configuration
@EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true)
+// Spring Security 6.x migration: @EnableGlobalMethodSecurity deprecated,
replaced by
+// @EnableMethodSecurity
+@EnableMethodSecurity(prePostEnabled = true, securedEnabled = true,
jsr250Enabled = true)
@ComponentScan("org.apache.geode.rest.internal.web")
-public class RestSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class RestSecurityConfiguration {
@Autowired
private GeodeAuthenticationProvider authProvider;
- @Override
- protected void configure(AuthenticationManagerBuilder auth) {
- auth.authenticationProvider(authProvider);
- }
-
+ /**
+ * Spring Security 6.x migration: Create AuthenticationManager bean using
ProviderManager.
+ * Previously configured via AuthenticationManagerBuilder in configure()
method.
+ */
@Bean
- @Override
- public AuthenticationManager authenticationManagerBean() throws Exception {
- return super.authenticationManagerBean();
+ public AuthenticationManager authenticationManager() {
+ return new ProviderManager(authProvider);
}
- @Override
- protected void configure(HttpSecurity http) throws Exception {
+ /**
+ * Spring Security 6.x migration: Configure security using
SecurityFilterChain bean.
+ * Replaces WebSecurityConfigurerAdapter's configure(HttpSecurity) method.
+ * Uses lambda-based configuration and authorizeHttpRequests() instead of
authorizeRequests().
+ */
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
- .authorizeRequests()
- .antMatchers("/docs/**", "/swagger-ui.html", "/swagger-ui/index.html",
"/swagger-ui/**",
- Links.URI_VERSION + "/api-docs/**",
"/webjars/springdoc-openapi-ui/**",
- "/v3/api-docs/**", "/swagger-resources/**")
- .permitAll().and().csrf().disable();
+ http.sessionManagement(
+ session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+ .authorizeHttpRequests(authorize -> authorize
+ .requestMatchers(new AntPathRequestMatcher("/docs/**"),
+ new AntPathRequestMatcher("/swagger-ui.html"),
+ new AntPathRequestMatcher("/swagger-ui/index.html"),
+ new AntPathRequestMatcher("/swagger-ui/**"),
+ new AntPathRequestMatcher("/v1/api-docs/**"),
+ new AntPathRequestMatcher("/webjars/springdoc-openapi-ui/**"),
+ new AntPathRequestMatcher("/v3/api-docs/**"),
+ new AntPathRequestMatcher("/swagger-resources/**"))
+ .permitAll())
+ .csrf(csrf -> csrf.disable());
Review Comment:
## Disabled Spring CSRF protection
CSRF vulnerability due to protection being disabled.
[Show more
details](https://github.com/apache/geode/security/code-scanning/121)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
