SHIBUI-2510

Updated spring security config to match more strict usage in newer spring version

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java

@@ -110,7 +110,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.csrf((csrf) -> csrf.csrfTokenRequestHandler(requestHandler));
         http
             .authorizeHttpRequests()
-            .requestMatchers("/unsecured/**/*","/entities/**/*","/actuator/**", "/api/beacon/send").permitAll()
+            .requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"),
+                             new AntPathRequestMatcher("/entities/**/*"),
+                             new AntPathRequestMatcher("/actuator/**"),
+                             new AntPathRequestMatcher("/api/beacon/send")).permitAll()
             .anyRequest().hasAnyRole(acceptedAuthenticationRoles)
             .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html"))
             .and().authenticationProvider(new SimpleAuthenticationProvider(adminUserService())).formLogin()

gradle.properties

@@ -26,7 +26,7 @@ shibUtilitiesJavaSupportVersion=8.4.1-SNAPSHOT
 spockVersion=2.3-groovy-4.0
 springbootVersion=3.1.2
 ## Used for testing deps, match spring security version used
-springSecurityVersion=6.0.2
+springSecurityVersion=6.1.2
 
 ### DB Driver Versions ###
 mariadbVersion=3.1.2

pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java

@@ -26,6 +26,7 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import java.util.Optional;
 
@@ -69,11 +70,15 @@ public AuditorAware<String> pac4jAuditorAware() {
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        http.authorizeHttpRequests().requestMatchers("/unsecured/**/*", "/entities/**/*", "/favicon.ico", "/assets/**/*.png", "/static/**/*", "/**/*.css").permitAll()
+        http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"),
+                                                     new AntPathRequestMatcher("/entities/**/*"),
+                                                     new AntPathRequestMatcher("/favicon.ico"),
+                                                     new AntPathRequestMatcher("/assets/**/*.png"),
+                                                     new AntPathRequestMatcher("/static/**/*"),
+                                                     new AntPathRequestMatcher("/**/*.css")).permitAll()
             .anyRequest().hasAnyRole(acceptedAuthenticationRoles)
             .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html"));
 
-
         // If the post logout URL is configured, setup the logout filter
         if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())) {
             final ShibuiLogoutFilter logoutFilter = new ShibuiLogoutFilter(config);