ESB-917 import developments ESB-652, ESB-613, ESB-915 #323
Conversation
- fix mail plugin ssl protocol; - add basicAuth for /api/* when keycloak.enabled false - add basicAuth in swagger config when keycloak.enabled false - update keycloak dockercompose
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| http.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)) | ||
| .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)) | ||
| .addFilterBefore(basicAuthFilter, BasicAuthenticationFilter.class) | ||
| .anonymous(AbstractHttpConfigurer::disable) | ||
| .csrf(AbstractHttpConfigurer::disable) //NOSONAR |
Check failure
Code scanning / CodeQL
Disabled Spring CSRF protection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
In general, the fix is to stop globally disabling CSRF and to configure CSRF protection in a way that is compatible with the existing API usage. For APIs that are called from browsers with session/cookie-based authentication, CSRF should remain enabled, with appropriate mechanisms for obtaining and sending the CSRF token (e.g., using CookieCsrfTokenRepository). For specific endpoints that must be exempt (such as read‑only APIs or non‑browser callback endpoints), those paths can be explicitly ignored by CSRF rather than disabling it entirely.
The best fix here, without changing the existing authorization behavior, is to replace .csrf(AbstractHttpConfigurer::disable) with a CSRF configuration that (a) keeps CSRF protection enabled by default, and (b) uses a cookie-based CSRF token repository suitable for browser clients. A common pattern is:
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
)This preserves current URL access rules and filters while re‑enabling CSRF. We will make this same change in both the Keycloak‑enabled and Keycloak‑disabled branches, touching only the .csrf(...) lines and adding the necessary import for CookieCsrfTokenRepository. Concretely:
- In
KeycloakSecurityConfig.keycloakSecurityFilterChain, in the Keycloak‑enabled branch (around line 79), replace.csrf(AbstractHttpConfigurer::disable)with a lambda configuringCookieCsrfTokenRepository. - In the Keycloak‑disabled (BasicAuth) branch (around line 104), do the same.
- Add an import for
org.springframework.security.web.csrf.CookieCsrfTokenRepository;at the top of the file.
| @@ -16,6 +16,7 @@ | ||
| import org.springframework.security.config.http.SessionCreationPolicy; | ||
| import org.springframework.security.web.SecurityFilterChain; | ||
| import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; | ||
| import org.springframework.security.web.csrf.CookieCsrfTokenRepository; | ||
| import org.springframework.security.web.util.matcher.AntPathRequestMatcher; | ||
|
|
||
| @Order(70) | ||
| @@ -76,7 +77,7 @@ | ||
| .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)) | ||
| .addFilterBefore(keycloakAuthenticationFilter, BasicAuthenticationFilter.class) | ||
| .anonymous(AbstractHttpConfigurer::disable) | ||
| .csrf(AbstractHttpConfigurer::disable) //NOSONAR | ||
| .csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())) | ||
| .cors(cors -> cors.configurationSource(corsConfigurationSource())); | ||
| return http.build(); | ||
| } else { | ||
| @@ -101,7 +102,7 @@ | ||
| .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)) | ||
| .addFilterBefore(basicAuthFilter, BasicAuthenticationFilter.class) | ||
| .anonymous(AbstractHttpConfigurer::disable) | ||
| .csrf(AbstractHttpConfigurer::disable) //NOSONAR | ||
| .csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())) | ||
| .cors(cors -> cors.configurationSource(corsConfigurationSource())); | ||
|
|
||
| return http.build(); |
|
PUBLICATION for COMMIT ID `` |
|
No description provided.