Skip to content

Commit

Permalink
NIFI-13558 Configured Web Security to ignore unauthenticated requests (
Browse files Browse the repository at this point in the history
…#9090)

This closes #9090
  • Loading branch information
exceptionfactory authored Jul 18, 2024
1 parent 16c9ea4 commit e35cbbb
Showing 1 changed file with 22 additions and 7 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,13 @@
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatchers;

import java.util.List;
import java.util.stream.Collectors;

/**
* Application Security Configuration using Spring Security
Expand All @@ -68,6 +73,18 @@
@EnableWebSecurity
@EnableMethodSecurity
public class WebSecurityConfiguration {
private static final List<String> UNFILTERED_PATHS = List.of(
"/access",
"/access/config",
"/access/token",
"/access/logout/complete",
"/authentication/configuration"
);

private static final RequestMatcher UNFILTERED_PATHS_REQUEST_MATCHER = new OrRequestMatcher(
UNFILTERED_PATHS.stream().map(AntPathRequestMatcher::new).collect(Collectors.toList())
);

/**
* Spring Security Authentication Manager configured using Authentication Providers from specific configuration classes
*
Expand Down Expand Up @@ -108,14 +125,12 @@ public SecurityFilterChain securityFilterChain(
.securityContext(AbstractHttpConfigurer::disable)
.sessionManagement(AbstractHttpConfigurer::disable)
.headers(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authorize -> authorize
.securityMatchers(securityMatchers -> securityMatchers
.requestMatchers(
"/access",
"/access/config",
"/access/token",
"/access/logout/complete",
"/authentication/configuration"
).permitAll()
RequestMatchers.not(UNFILTERED_PATHS_REQUEST_MATCHER)
)
)
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.addFilterBefore(new SkipReplicatedCsrfFilter(), CsrfFilter.class)
Expand Down

0 comments on commit e35cbbb

Please sign in to comment.