From 1d9324882ce435a5184df72e93c612f313229367 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 8 Aug 2023 16:28:37 -0700 Subject: [PATCH] SHIBUI-2510 Updated spring security config to match more strict usage in newer spring version --- .../admin/ui/configuration/SpringSecurityConfig.java | 5 ++++- gradle.properties | 2 +- .../unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java | 9 +++++++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java index 5b2e5a98a..90194ede5 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/SpringSecurityConfig.java @@ -110,7 +110,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.csrf((csrf) -> csrf.csrfTokenRequestHandler(requestHandler)); http .authorizeHttpRequests() - .requestMatchers("/unsecured/**/*","/entities/**/*","/actuator/**", "/api/beacon/send").permitAll() + .requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/actuator/**"), + new AntPathRequestMatcher("/api/beacon/send")).permitAll() .anyRequest().hasAnyRole(acceptedAuthenticationRoles) .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html")) .and().authenticationProvider(new SimpleAuthenticationProvider(adminUserService())).formLogin() diff --git a/gradle.properties b/gradle.properties index da7b6323d..6978848ee 100644 --- a/gradle.properties +++ b/gradle.properties @@ -26,7 +26,7 @@ shibUtilitiesJavaSupportVersion=8.4.1-SNAPSHOT spockVersion=2.3-groovy-4.0 springbootVersion=3.1.2 ## Used for testing deps, match spring security version used -springSecurityVersion=6.0.2 +springSecurityVersion=6.1.2 ### DB Driver Versions ### mariadbVersion=3.1.2 diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java index a1bc022ca..2d725a83a 100644 --- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java +++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/Pac4jSpringSecurityConfig.java @@ -26,6 +26,7 @@ import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.firewall.StrictHttpFirewall; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import java.util.Optional; @@ -69,11 +70,15 @@ public AuditorAware pac4jAuditorAware() { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.authorizeHttpRequests().requestMatchers("/unsecured/**/*", "/entities/**/*", "/favicon.ico", "/assets/**/*.png", "/static/**/*", "/**/*.css").permitAll() + http.authorizeHttpRequests().requestMatchers(new AntPathRequestMatcher("/unsecured/**/*"), + new AntPathRequestMatcher("/entities/**/*"), + new AntPathRequestMatcher("/favicon.ico"), + new AntPathRequestMatcher("/assets/**/*.png"), + new AntPathRequestMatcher("/static/**/*"), + new AntPathRequestMatcher("/**/*.css")).permitAll() .anyRequest().hasAnyRole(acceptedAuthenticationRoles) .and().exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html")); - // If the post logout URL is configured, setup the logout filter if (StringUtils.isNotEmpty(pac4jConfigurationProperties.getPostLogoutURL())) { final ShibuiLogoutFilter logoutFilter = new ShibuiLogoutFilter(config);