Skip to content

Commit

Permalink
Use MvcRequestMatcher in WebSecurityAutoConfiguration
Browse files Browse the repository at this point in the history
https://spring.io/security/cve-2023-34035

With spring-security 6.1.2+ requestMatchers needs to get MvcRequestMatcher or AntPathRequestMatcher.
  • Loading branch information
acnfpyttel authored Aug 2, 2023
1 parent 40673f4 commit a29cc13
Showing 1 changed file with 16 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
package io.dwpbank.movewp3.microservice.security.autoconfiguration.server;

import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.AutoConfigureBefore;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
Expand All @@ -11,6 +14,8 @@
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;

/**
* An autoconfiguration that enables OIDC-based authentication for all HTTP endpoints (except for <code>/actuator/*</code> as soon as the
Expand All @@ -29,14 +34,23 @@
public class WebSecurityAutoConfiguration {

@Value("${io.dwpbank.movewp3.microservice.security.allowlist:/actuator/**}")
private String[] allowlist;
private List<String> allowlist;

@Autowired
private HandlerMappingIntrospector introspector;

@Bean
@ConditionalOnMissingBean
SecurityFilterChain oidcResourceServerSecurityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeHttpRequests()
.requestMatchers(allowlist)
.requestMatchers(
allowlist
.stream()
.map(path -> new MvcRequestMatcher(introspector, path))
.toArray(MvcRequestMatcher[]::new)
)
.permitAll()
.anyRequest()
.authenticated()
Expand Down

0 comments on commit a29cc13

Please sign in to comment.