From 4af7ece8730e978613971ba94d19509b95f1faa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Wacongne?= Date: Tue, 3 Jan 2023 05:17:59 +0100 Subject: [PATCH] gh-83 do not force http when SSL is not enabled (#84) --- .../README.md | 2 -- .../tutorials/SecurityConfig.java | 2 -- .../resource-server_with_ui/README.md | 2 -- .../tutorials/WebSecurityConfig.java | 30 ++++++++----------- .../synchronised/AddonsWebSecurityBeans.java | 2 -- .../synchronised/AddonsWebSecurityBeans.java | 2 -- .../test/mockmvc/AddonsWebmvcTestConf.java | 2 -- 7 files changed, 13 insertions(+), 29 deletions(-) diff --git a/samples/tutorials/resource-server_with_jwtauthenticationtoken/README.md b/samples/tutorials/resource-server_with_jwtauthenticationtoken/README.md index 70e2832ac..947f92635 100644 --- a/samples/tutorials/resource-server_with_jwtauthenticationtoken/README.md +++ b/samples/tutorials/resource-server_with_jwtauthenticationtoken/README.md @@ -132,8 +132,6 @@ public class SecurityConfig { // If SSL enabled, disable http (https only) if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) { http.requiresChannel().anyRequest().requiresSecure(); - } else { - http.requiresChannel().anyRequest().requiresInsecure(); } // Route security: authenticated to all routes but actuator and Swagger-UI diff --git a/samples/tutorials/resource-server_with_jwtauthenticationtoken/src/main/java/com/c4soft/springaddons/tutorials/SecurityConfig.java b/samples/tutorials/resource-server_with_jwtauthenticationtoken/src/main/java/com/c4soft/springaddons/tutorials/SecurityConfig.java index 9c68d6632..2b6f3579e 100644 --- a/samples/tutorials/resource-server_with_jwtauthenticationtoken/src/main/java/com/c4soft/springaddons/tutorials/SecurityConfig.java +++ b/samples/tutorials/resource-server_with_jwtauthenticationtoken/src/main/java/com/c4soft/springaddons/tutorials/SecurityConfig.java @@ -102,8 +102,6 @@ SecurityFilterChain filterChain(HttpSecurity http, // If SSL enabled, disable http (https only) if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) { http.requiresChannel().anyRequest().requiresSecure(); - } else { - http.requiresChannel().anyRequest().requiresInsecure(); } // Route security: authenticated to all routes but actuator and Swagger-UI diff --git a/samples/tutorials/resource-server_with_ui/README.md b/samples/tutorials/resource-server_with_ui/README.md index d16add401..22d1b3d48 100644 --- a/samples/tutorials/resource-server_with_ui/README.md +++ b/samples/tutorials/resource-server_with_ui/README.md @@ -150,8 +150,6 @@ public class WebSecurityConfig { // If SSL enabled, disable http (https only) if (isSsl) { http.requiresChannel().anyRequest().requiresSecure(); - } else { - http.requiresChannel().anyRequest().requiresInsecure(); } // compared to API filter-chain: diff --git a/samples/tutorials/resource-server_with_ui/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java b/samples/tutorials/resource-server_with_ui/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java index 73a106ddf..b19f32117 100644 --- a/samples/tutorials/resource-server_with_ui/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java +++ b/samples/tutorials/resource-server_with_ui/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java @@ -23,9 +23,8 @@ public class WebSecurityConfig { /** *

- * A default SecurityFilterChain is already defined by - * spring-addons-webmvc-jwt-resource-server to secure all API endpoints - * (actuator and REST controllers) + * A default SecurityFilterChain is already defined by spring-addons-webmvc-jwt-resource-server to secure all API endpoints (actuator and + * REST controllers) *

* We define here another SecurityFilterChain for server-side rendered pages: * *

- * It important to note that in this scenario, the end-user browser is not an - * OAuth2 client. Only the part of the server-side part of the Spring - * application secured with this filter chain is. Requests between the browser - * and Spring OAuth2 client are secured with sessions. As so, CSRF - * protection must be active. + * It important to note that in this scenario, the end-user browser is not an OAuth2 client. Only the part of the server-side part of the + * Spring application secured with this filter chain is. Requests between the browser and Spring OAuth2 client are secured with + * sessions. As so, CSRF protection must be active. *

* - * @param http - * @param serverProperties - * @return an additional security filter-chain for UI elements (with OAuth2 - * login) + * @param http + * @param serverProperties + * @return an additional security filter-chain for UI elements (with OAuth2 login) * @throws Exception */ @Order(Ordered.HIGHEST_PRECEDENCE) @Bean - SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProperties, + SecurityFilterChain uiFilterChain( + HttpSecurity http, + ServerProperties serverProperties, Converter, Collection> authoritiesConverter) throws Exception { boolean isSsl = serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled(); @@ -64,7 +62,7 @@ SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProp // and OAuth2 client callback endpoints new AntPathRequestMatcher("/login/**"), new AntPathRequestMatcher("/oauth2/**"))); - + http.oauth2Login() // I don't know quite why we are redirected to authorization-server port by default as initial login page is generated on client :/ .loginPage("%s://localhost:%d/oauth2/authorization/spring-addons-public".formatted(isSsl ? "https" : "http", serverProperties.getPort()) ) @@ -78,7 +76,7 @@ SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProp .map(OidcUserAuthority.class::cast) .flatMap(oua -> authoritiesConverter.convert(oua.getIdToken().getClaims()).stream()).toList() ); - + http.authorizeHttpRequests() .requestMatchers("/login/**").permitAll() .requestMatchers("/oauth2/**").permitAll() @@ -88,8 +86,6 @@ SecurityFilterChain uiFilterChain(HttpSecurity http, ServerProperties serverProp // If SSL enabled, disable http (https only) if (isSsl) { http.requiresChannel().anyRequest().requiresSecure(); - } else { - http.requiresChannel().anyRequest().requiresInsecure(); } // compared to API filter-chain: diff --git a/webmvc/spring-addons-webmvc-introspecting-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java b/webmvc/spring-addons-webmvc-introspecting-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java index ef0568f5a..59052d478 100644 --- a/webmvc/spring-addons-webmvc-introspecting-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java +++ b/webmvc/spring-addons-webmvc-introspecting-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java @@ -189,8 +189,6 @@ SecurityFilterChain filterChain( if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) { http.requiresChannel().anyRequest().requiresSecure(); - } else { - http.requiresChannel().anyRequest().requiresInsecure(); } expressionInterceptUrlRegistryPostProcessor.authorizeHttpRequests( diff --git a/webmvc/spring-addons-webmvc-jwt-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java b/webmvc/spring-addons-webmvc-jwt-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java index 9689aaa65..71295958b 100644 --- a/webmvc/spring-addons-webmvc-jwt-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java +++ b/webmvc/spring-addons-webmvc-jwt-resource-server/src/main/java/com/c4_soft/springaddons/security/oauth2/config/synchronised/AddonsWebSecurityBeans.java @@ -182,8 +182,6 @@ SecurityFilterChain filterChain( if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) { http.requiresChannel().anyRequest().requiresSecure(); - } else { - http.requiresChannel().anyRequest().requiresInsecure(); } expressionInterceptUrlRegistryPostProcessor.authorizeHttpRequests( diff --git a/webmvc/spring-addons-webmvc-test/src/main/java/com/c4_soft/springaddons/security/oauth2/test/mockmvc/AddonsWebmvcTestConf.java b/webmvc/spring-addons-webmvc-test/src/main/java/com/c4_soft/springaddons/security/oauth2/test/mockmvc/AddonsWebmvcTestConf.java index 02113ab7a..2038a13d2 100644 --- a/webmvc/spring-addons-webmvc-test/src/main/java/com/c4_soft/springaddons/security/oauth2/test/mockmvc/AddonsWebmvcTestConf.java +++ b/webmvc/spring-addons-webmvc-test/src/main/java/com/c4_soft/springaddons/security/oauth2/test/mockmvc/AddonsWebmvcTestConf.java @@ -132,8 +132,6 @@ SecurityFilterChain filterChain(HttpSecurity http, ServerProperties serverProper if (serverProperties.getSsl() != null && serverProperties.getSsl().isEnabled()) { http.requiresChannel().anyRequest().requiresSecure(); - } else { - http.requiresChannel().anyRequest().requiresInsecure(); } return http.build();