diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java index 5b2e5a98a..90194ede5 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java @@ -110,7 +110,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.csrf((csrf) -> csrf.csrfTokenRequestHandler(requestHandler)); http .authorizeHttpRequests() - .requestMatchers("/unsecured/**/*","/entities/**/*","/actuator/**", "/api/beacon/send").permitAll() + .requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/actuator/**"), + new AntPathRequestMatcher("/api/beacon/send")).permitAll() .anyRequest().hasAnyRole(acceptedAuthenticationRoles) .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html")) .and().authenticationProvider(new SimpleAuthenticationProvider(adminUserService())).formLogin() diff --git a/gradle.properties b/gradle.properties index da7b6323d..6978848ee 100644 --- a/gradle.properties +++ b/gradle.properties @@ -26,7 +26,7 @@ shibUtilitiesJavaSupportVersion=8.4.1-SNAPSHOT spockVersion=2.3-groovy-4.0 springbootVersion=3.1.2 ## Used for testing deps, match spring security version used -springSecurityVersion=6.0.2 +springSecurityVersion=6.1.2 ### DB Driver Versions ### mariadbVersion=3.1.2 diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java index a1bc022ca..2d725a83a 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java @@ -26,6 +26,7 @@ import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.firewall.StrictHttpFirewall; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import java.util.Optional; @@ -69,11 +70,15 @@ public AuditorAware pac4jAuditorAware() { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests().requestMatchers("/unsecured/**/*", "/entities/**/*", "/favicon.ico", "/assets/**/*.png", "/static/**/*", "/**/*.css").permitAll() + http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/favicon.ico"), + new AntPathRequestMatcher("/assets/**/*.png"), + new AntPathRequestMatcher("/static/**/*"), + new AntPathRequestMatcher("/**/*.css")).permitAll() .anyRequest().hasAnyRole(acceptedAuthenticationRoles) .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html")); - // If the post logout URL is configured, setup the logout filter if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())) { final ShibuiLogoutFilter logoutFilter = new ShibuiLogoutFilter(config);