You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by GitBox <gi...@apache.org> on 2022/07/15 16:09:50 UTC

[GitHub] [syncope] github-code-scanning[bot] commented on a diff in pull request #362: Upgrading Spring Boot to 2.7 and CAS to 6.6

github-code-scanning[bot] commented on code in PR #362:
URL: https://github.com/apache/syncope/pull/362#discussion_r922311353


##########
core/spring/src/main/java/org/apache/syncope/core/spring/security/WebSecurityContext.java:
##########
@@ -74,66 +75,65 @@
     }
 
     @Bean
-    public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(
-            final ApplicationContext ctx,
+    public WebSecurityCustomizer webSecurityCustomizer(final HttpFirewall allowUrlEncodedSlashHttpFirewall) {
+        return web -> web.httpFirewall(allowUrlEncodedSlashHttpFirewall);
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(
+            final HttpSecurity http,
+            final UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider,
+            final JWTAuthenticationProvider jwtAuthenticationProvider,
             final SecurityProperties securityProperties,
-            final HttpFirewall allowUrlEncodedSlashHttpFirewall) {
-
-        return new WebSecurityConfigurerAdapter(true) {
-
-            @Override
-            public void configure(final WebSecurity web) {
-                web.httpFirewall(allowUrlEncodedSlashHttpFirewall);
-            }
-
-            @Override
-            protected void configure(final HttpSecurity http) throws Exception {
-                SyncopeAuthenticationDetailsSource authenticationDetailsSource =
-                        new SyncopeAuthenticationDetailsSource();
-
-                AnonymousAuthenticationProvider anonymousAuthenticationProvider =
-                        new AnonymousAuthenticationProvider(ANONYMOUS_BEAN_KEY);
-                AnonymousAuthenticationFilter anonymousAuthenticationFilter =
-                        new AnonymousAuthenticationFilter(
-                                ANONYMOUS_BEAN_KEY,
-                                securityProperties.getAnonymousUser(),
-                                AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
-                anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
-
-                SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint =
-                        new SyncopeBasicAuthenticationEntryPoint();
-                basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication");
-
-                JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(
-                        authenticationManager(),
-                        basicAuthenticationEntryPoint,
-                        authenticationDetailsSource,
-                        ctx.getBean(AuthDataAccessor.class),
-                        ctx.getBean(DefaultCredentialChecker.class));
-
-                http.authorizeRequests().
-                        antMatchers("/**").permitAll().and().
-                        sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
-                        securityContext().securityContextRepository(new NullSecurityContextRepository()).and().
-                        anonymous().
-                        authenticationProvider(anonymousAuthenticationProvider).
-                        authenticationFilter(anonymousAuthenticationFilter).and().
-                        httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
-                        authenticationDetailsSource(authenticationDetailsSource).and().
-                        exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
-                        addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class).
-                        addFilterBefore(new MustChangePasswordFilter(), FilterSecurityInterceptor.class).
-                        headers().disable().
-                        csrf().disable();
-            }
-
-            @Override
-            protected void configure(final AuthenticationManagerBuilder builder) throws Exception {
-                builder.
-                        authenticationProvider(ctx.getBean(UsernamePasswordAuthenticationProvider.class)).
-                        authenticationProvider(ctx.getBean(JWTAuthenticationProvider.class));
-            }
-        };
+            final ApplicationContext ctx) throws Exception {
+
+        AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManagerBuilder.class).
+                authenticationProvider(usernamePasswordAuthenticationProvider).
+                authenticationProvider(jwtAuthenticationProvider).
+                build();
+
+        SyncopeAuthenticationDetailsSource authenticationDetailsSource =
+                new SyncopeAuthenticationDetailsSource();
+
+        AnonymousAuthenticationProvider anonymousAuthenticationProvider =
+                new AnonymousAuthenticationProvider(ANONYMOUS_BEAN_KEY);
+        AnonymousAuthenticationFilter anonymousAuthenticationFilter =
+                new AnonymousAuthenticationFilter(
+                        ANONYMOUS_BEAN_KEY,
+                        securityProperties.getAnonymousUser(),
+                        AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
+        anonymousAuthenticationFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
+
+        SyncopeBasicAuthenticationEntryPoint basicAuthenticationEntryPoint =
+                new SyncopeBasicAuthenticationEntryPoint();
+        basicAuthenticationEntryPoint.setRealmName("Apache Syncope authentication");
+
+        JWTAuthenticationFilter jwtAuthenticationFilter = new JWTAuthenticationFilter(
+                authenticationManager,
+                basicAuthenticationEntryPoint,
+                authenticationDetailsSource,
+                ctx.getBean(AuthDataAccessor.class),
+                ctx.getBean(DefaultCredentialChecker.class));
+
+        MustChangePasswordFilter mustChangePasswordFilter = new MustChangePasswordFilter();
+
+        http.authenticationManager(authenticationManager).
+                authorizeRequests().
+                antMatchers("/**").permitAll().and().
+                sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
+                securityContext().securityContextRepository(new NullSecurityContextRepository()).and().
+                anonymous().
+                authenticationProvider(anonymousAuthenticationProvider).
+                authenticationFilter(anonymousAuthenticationFilter).and().
+                httpBasic().authenticationEntryPoint(basicAuthenticationEntryPoint).
+                authenticationDetailsSource(authenticationDetailsSource).and().
+                exceptionHandling().accessDeniedHandler(accessDeniedHandler()).and().
+                addFilterBefore(jwtAuthenticationFilter, BasicAuthenticationFilter.class).
+                addFilterBefore(mustChangePasswordFilter, FilterSecurityInterceptor.class).
+                headers().disable().
+                csrf().disable();

Review Comment:
   ## Disabled Spring CSRF protection
   
   CSRF vulnerability due to protection being disabled.
   
   [Show more details](https://github.com/apache/syncope/security/code-scanning/1119)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org