Apply controller security config to all /{tenant}/controller/v1 but downloads (#2022)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java

@@ -91,7 +91,7 @@ class ControllerDownloadSecurityConfiguration {
     }
 
     @Bean
-    @Order(301)
+    @Order(300) // higher priority than HawkBit DDI security, so that the DDI DL security is applied first
     protected SecurityFilterChain filterChainDDIDL(final HttpSecurity http) throws Exception {
         final AuthenticationManager authenticationManager = ControllerSecurityConfiguration.setAuthenticationManager(
                 http, ddiSecurityConfiguration);

hawkbit-ddi/hawkbit-ddi-starter/src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java

@@ -54,13 +54,7 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
 class ControllerSecurityConfiguration {
 
     private static final String[] DDI_ANT_MATCHERS = {
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/confirmationBase/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/deploymentBase/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/installedBase/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/cancelAction/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/configData",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/softwaremodules/{softwareModuleId}/artifacts" };
+            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/**" };
 
     private final ControllerManagement controllerManagement;
     private final TenantConfigurationManagement tenantConfigurationManagement;
@@ -101,7 +95,7 @@ class ControllerSecurityConfiguration {
     }
 
     @Bean
-    @Order(300)
+    @Order(301)
     protected SecurityFilterChain filterChainDDI(final HttpSecurity http) throws Exception {
         final AuthenticationManager authenticationManager = setAuthenticationManager(http, ddiSecurityConfiguration);
 
@@ -146,15 +140,13 @@ class ControllerSecurityConfiguration {
             gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
 
             http
-                    .authorizeHttpRequests(amrmRegistry ->
-                            amrmRegistry.anyRequest().authenticated())
+                    .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
                     .anonymous(AbstractHttpConfigurer::disable)
                     .addFilter(securityHeaderFilter)
                     .addFilter(securityTokenFilter)
                     .addFilter(gatewaySecurityTokenFilter)
                     .exceptionHandling(configurer -> configurer.authenticationEntryPoint(
-                            (request, response, authException) ->
-                                    response.setStatus(HttpStatus.UNAUTHORIZED.value())))
+                            (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
                     .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
         }
 
@@ -175,4 +167,4 @@ class ControllerSecurityConfiguration {
         http.authenticationManager(authenticationManager);
         return authenticationManager;
     }
-}
+}