Config http headers #37
Conversation
BettyB979
commented
Nov 15, 2023
BettyB979
commented
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| SecurityFilterChain filterChain(HttpSecurity http) throws Exception { | ||
| return http | ||
| .securityMatcher("/**") | ||
| .csrf(csrfConfig -> csrfConfig.disable()) |
Check failure
Code scanning / CodeQL
Disabled Spring CSRF protection High
| return http | ||
| .securityMatcher("/**") | ||
| .csrf(AbstractHttpConfigurer::disable) |
Check failure
Code scanning / CodeQL
Disabled Spring CSRF protection High
...fr/insee/survey/datacollectionmanagement/config/auth/security/PublicSecurityFilterChain.java
Fixed
Show fixed
Hide fixed
...fr/insee/survey/datacollectionmanagement/config/auth/security/PublicSecurityFilterChain.java
Fixed
Show fixed
Hide fixed
| @Bean | ||
| public UserProvider getUserProvider() { | ||
| return auth -> new User(); | ||
| } | ||
|
|
||
| private String[] publicUrls(){ | ||
| String[] str = new String[config.getPublicUrls().size()]; |
There was a problem hiding this comment.
cannot have directly public urls as array ?
| return null; | ||
| }) | ||
| .filter(Objects::nonNull) | ||
| .collect(Collectors.toCollection(ArrayList::new)); |
| authorizedRoles.addAll(applicationConfig.getRoleWebClient()); | ||
|
|
||
| return roles.stream() | ||
| .map(role -> { |
There was a problem hiding this comment.
filter can be used instead of returning null sometimes then filter on non null objects
.filter(role -> authorizedRoles.contains(role))
.map(SimpleGrantedAuthority::new)
| .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN) | ||
| )) | ||
| .anonymous(anonymousConfig -> anonymousConfig | ||
| .authorities("ROLE_ADMIN")) |
There was a problem hiding this comment.
do you use this role anywhere in the app ?
| } | ||
|
|
||
| private String[] publicUrls() { | ||
| return new String[]{"/csrf", "/", "/webjars/**", "/swagger-resources/**", "/environnement", Constants.API_HEALTHCHECK, "/actuator/**", |
There was a problem hiding this comment.
maybe parameterize these urls in a conf file ? all these paths are used ?
| @@ -99,5 +99,6 @@ private Constants() { | |||
| public static final String REVIEWER = "reviewer"; | |||
|
|
|||
| public static final String API_HEALTHCHECK = "/api/healthcheck"; | |||
| public static final String ACTUATOR = "/actuator/**"; | |||
There was a problem hiding this comment.
divide this class into 2 and give them a more specific name ? one to define URL apis, another for roles
|
|
||
| import jakarta.persistence.Entity; | ||
| import jakarta.persistence.GeneratedValue; | ||
| import jakarta.persistence.Id; | ||
| import lombok.Data; | ||
|
|
||
| @Entity | ||
| @Data |
There was a problem hiding this comment.
@DaTa should not be used on entities: https://jpa-buddy.com/blog/lombok-and-jpa-what-may-go-wrong/
Here is not the best place to write this as there are only string properties, but it's best not to use @DaTa @EqualsAndHashCode @tostring on entities at all
| import lombok.NoArgsConstructor; | ||
| import lombok.NonNull; | ||
| import lombok.ToString; | ||
| import java.util.Date; | ||
|
|
||
| @Entity | ||
| @Data |
| @@ -35,14 +22,15 @@ public enum ContactEventType { | |||
| private Long id; | |||
| private Date eventDate; | |||
| @NonNull | |||
| @Enumerated(EnumType.STRING) | |||
There was a problem hiding this comment.
enumerated variables are constant, so no lower case (CREATE, UPDATE, ...).
You should certainly use a converter instead: https://stackoverflow.com/questions/60500739/storing-enum-custom-values-with-jpa
| import fr.insee.survey.datacollectionmanagement.metadata.service.PartitioningService; | ||
| import jakarta.ws.rs.NotFoundException; |
...insee/survey/datacollectionmanagement/config/auth/security/OpenIDConnectSecurityContext.java
Fixed
Show fixed
Hide fixed
|
SonarCloud Quality Gate failed.
|
