From 2c4fa13415d7c27bc1dc038fce858033cdf3de2f Mon Sep 17 00:00:00 2001 From: Mark Patton Date: Thu, 4 Apr 2024 10:06:13 -0400 Subject: [PATCH] Disabled unused spring security functionality --- .../eclipse/pass/main/security/SecurityConfiguration.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java b/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java index 24894b0c..2c6aaf18 100644 --- a/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java +++ b/pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java @@ -22,7 +22,9 @@ import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AnonymousConfigurer; import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer; +import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer; import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.header.writers.ContentSecurityPolicyHeaderWriter; @@ -58,7 +60,10 @@ public class SecurityConfiguration { */ @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + // Disable unused functionality http.csrf(CsrfConfigurer::disable); + http.formLogin(FormLoginConfigurer::disable); + http.anonymous(AnonymousConfigurer::disable); // Set Content Security Policy header only for /app/ ContentSecurityPolicyHeaderWriter cspHeaderWriter = new ContentSecurityPolicyHeaderWriter();