-
Story
-
Resolution: Done
-
Undefined
-
4.0.1
-
None
in the following documentation https://docs.redhat.com/en/documentation/red_hat_build_of_apache_camel/4.4/html-single/hawtio_diagnostic_console_guide/index#spring_security the code example
@EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.authorizeRequests().anyRequest().authenticated() .and() .formLogin() .and() .httpBasic() .and() .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); return http.build(); } }
Should be updated for two reasons:
- it is using deprecated methods
- this filterChain will add authentication to all the endpoints, if a CSB application exposes REST services via platform-http component, or there are REST services exposed with Spring RestController, they will be authenticated as well, the code example (and the HawtIO examples as well) can be refactored with something like:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception
{
http.authorizeRequests(requests -> requests
.anyRequest().permitAll()
.requestMatchers("/hawtio").authenticated()
)
.formLogin(form -> form
.configure(http)
)
.httpBasic(httpBasic -> httpBasic
.configure(http))
.csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
);
return http.build();
}
Note, I didn't test the code, it should work, but the requestMatchers("/hawtio") should be updated with the correct one, and I am not entirely sure about the .configure(http)
