diff --git a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java index ce1d62330..5be3e6152 100644 --- a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java +++ b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java @@ -33,6 +33,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.http.HttpStatus; +import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; @@ -46,8 +47,8 @@ import org.springframework.security.web.access.intercept.AuthorizationFilter; @Configuration class ControllerDownloadSecurityConfiguration { - private static final String DDI_DL_ANT_MATCHER = DdiRestConstants.BASE_V1_REQUEST_MAPPING + - "/{controllerId}/softwaremodules/{softwareModuleId}/artifacts/*"; + private static final String DDI_DL_ANT_MATCHER = + DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/softwaremodules/{softwareModuleId}/artifacts/*"; private final ControllerManagement controllerManagement; private final TenantConfigurationManagement tenantConfigurationManagement; @@ -73,16 +74,15 @@ class ControllerDownloadSecurityConfiguration { * Filter to protect the hawkBit server DDI download interface against too many requests. * * @param securityProperties for filter configuration - * @return the spring filter registration bean for registering a denial of service protection filter in the filter chain + * @return the spring filter registration bean for registering a denial-of-service protection filter in the filter chain */ @Bean @ConditionalOnProperty(prefix = "hawkbit.server.security.dos.filter", name = "enabled", matchIfMissing = true) public FilterRegistrationBean dosFilterDDIDL(final HawkbitSecurityProperties securityProperties) { - final FilterRegistrationBean filterRegBean = SecurityManagedConfiguration.dosFilter(List.of(DDI_DL_ANT_MATCHER), - securityProperties.getDos().getFilter(), securityProperties.getClients()); + final FilterRegistrationBean filterRegBean = SecurityManagedConfiguration.dosFilter( + List.of(DDI_DL_ANT_MATCHER), securityProperties.getDos().getFilter(), securityProperties.getClients()); filterRegBean.setOrder(SecurityManagedConfiguration.DOS_FILTER_ORDER); filterRegBean.setName("dosDDiDlFilter"); - return filterRegBean; } @@ -91,15 +91,9 @@ class ControllerDownloadSecurityConfiguration { protected SecurityFilterChain filterChainDDIDL(final HttpSecurity http) throws Exception { http .securityMatcher(DDI_DL_ANT_MATCHER) - .csrf(AbstractHttpConfigurer::disable); - - if (securityProperties.isRequireSsl()) { - http.requiresChannel(crmRegistry -> crmRegistry.anyRequest().requiresSecure()); - } - - http .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated()) .anonymous(AbstractHttpConfigurer::disable) + .csrf(AbstractHttpConfigurer::disable) .addFilterBefore(new AuthenticationFilters.SecurityHeaderAuthenticationFilter( new SecurityHeaderAuthenticator( tenantConfigurationManagement, tenantAware, systemSecurityContext, @@ -118,6 +112,10 @@ class ControllerDownloadSecurityConfiguration { (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()))) .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); + if (securityProperties.isRequireSsl()) { + http.redirectToHttps(Customizer.withDefaults()); + } + MdcHandler.Filter.addMdcFilter(http); return http.build(); diff --git a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java index 336f03ce1..3375c505b 100644 --- a/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java +++ b/hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java @@ -97,11 +97,9 @@ class ControllerSecurityConfiguration { @Value("${hawkbit.server.security.cors.disable-for-ddi-api:false}") final boolean disableCorsForDdiApi) throws Exception { http .securityMatcher(DDI_ANT_MATCHERS) - .csrf(AbstractHttpConfigurer::disable); - - http .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated()) .anonymous(AbstractHttpConfigurer::disable) + .csrf(AbstractHttpConfigurer::disable) .addFilterBefore(new AuthenticationFilters.SecurityHeaderAuthenticationFilter( new SecurityHeaderAuthenticator( tenantConfigurationManagement, tenantAware, diff --git a/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java b/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java index cc05b7fd6..0b575df1d 100644 --- a/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java +++ b/hawkbit-mgmt/hawkbit-mgmt-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/mgmt/MgmtSecurityConfiguration.java @@ -122,9 +122,6 @@ public class MgmtSecurityConfiguration { .authenticated()) .anonymous(AbstractHttpConfigurer::disable) .csrf(AbstractHttpConfigurer::disable) - .requestCache(AbstractHttpConfigurer::disable) - .exceptionHandling(Customizer.withDefaults()) - .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .addFilterAfter( // Servlet filter to create metadata after successful authentication over RESTful. (request, response, chain) -> { @@ -134,7 +131,10 @@ public class MgmtSecurityConfiguration { } chain.doFilter(request, response); }, - SessionManagementFilter.class); + SessionManagementFilter.class) + .requestCache(AbstractHttpConfigurer::disable) + .exceptionHandling(Customizer.withDefaults()) + .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); if (securityProperties.getCors().isEnabled()) { http.cors(configurer -> configurer.configurationSource(securityProperties.getCors().toCorsConfigurationSource())); diff --git a/hawkbit-simple-ui/src/main/java/org/eclipse/hawkbit/ui/simple/security/SecurityConfiguration.java b/hawkbit-simple-ui/src/main/java/org/eclipse/hawkbit/ui/simple/security/SecurityConfiguration.java index 19696dd62..94413e6ba 100644 --- a/hawkbit-simple-ui/src/main/java/org/eclipse/hawkbit/ui/simple/security/SecurityConfiguration.java +++ b/hawkbit-simple-ui/src/main/java/org/eclipse/hawkbit/ui/simple/security/SecurityConfiguration.java @@ -22,19 +22,17 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @EnableWebSecurity @Configuration -@EnableConfigurationProperties({ OidcClientProperties.class }) +@EnableConfigurationProperties(OidcClientProperties.class) public class SecurityConfiguration extends VaadinWebSecurity { private Customizer> oAuth2LoginConfigurerCustomizer; @Autowired(required = false) public void setOAuth2LoginConfigurerCustomizer( - @Qualifier("hawkbitOAuth2ClientCustomizer") final Customizer> oauth2LoginConfigurerCustomizer - ) { + @Qualifier("hawkbitOAuth2ClientCustomizer") final Customizer> oauth2LoginConfigurerCustomizer) { this.oAuth2LoginConfigurerCustomizer = oauth2LoginConfigurerCustomizer; } @@ -45,8 +43,7 @@ public class SecurityConfiguration extends VaadinWebSecurity { @Override protected void configure(final HttpSecurity http) throws Exception { - http.authorizeHttpRequests( - authorize -> authorize.requestMatchers(new AntPathRequestMatcher("/images/*.png")).permitAll()); + http.authorizeHttpRequests(authorize -> authorize.requestMatchers("/images/*.png").permitAll()); super.configure(http);