Add HSTS, ignore csrf on shutdown endpoint, clean up sonarqube issues.

3 files changed, 22 insertions, 7 deletions

diff --git a/src/main/java/org/berzerkula/builddb/BuilddbApplication.java b/src/main/java/org/berzerkula/builddb/BuilddbApplication.java
index 7ab9042..3386930 100644
--- a/src/main/java/org/berzerkula/builddb/BuilddbApplication.java
+++ b/src/main/java/org/berzerkula/builddb/BuilddbApplication.java
@@ -14,6 +14,7 @@ public class BuilddbApplication {
 
 	public static void main(String[] args) {
 		SpringApplication.run(BuilddbApplication.class, args);
+		logger.info("BuilddbApplication started");
 	}
 
 }
diff --git a/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java b/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
index da4b088..9e1ae1d 100644
--- a/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
+++ b/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
@@ -18,11 +18,12 @@ public class SecurityConfig {
 	@Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         return http
+				.securityMatcher("/**")
 				//.requiresChannel(channel -> channel.anyRequest().requiresSecure())
                 .authorizeHttpRequests( auth -> auth
                 		.requestMatchers("/").permitAll()
 						.requestMatchers("/actuator/health","/actuator/info").permitAll()
-						.requestMatchers("/actuator/**").hasRole(BuilddbConstants.ROLE_ADMIN)
+						.requestMatchers("/actuator/beans", "/actuator/env", "actuator/metrics", "/actuator/shutdown").hasRole(BuilddbConstants.ROLE_ADMIN)
 						.requestMatchers("/contact").permitAll()
 	                    .requestMatchers("/pkgs/**").hasRole(BuilddbConstants.ROLE_CLIENT)
 	                    .requestMatchers("/register").permitAll()
@@ -30,22 +31,23 @@ public class SecurityConfig {
 	                    .requestMatchers("/logout").permitAll()
 	                    .anyRequest().authenticated()
                 )
+				.csrf(csrf -> csrf
+						.ignoringRequestMatchers("/actuator/shutdown"))
                 .formLogin(form -> form
                 		.loginPage("/login")
                 		.usernameParameter("email")
                 		.passwordParameter("password")
                 		.defaultSuccessUrl("/", true)
                 )
-                .logout(config -> config.logoutSuccessUrl("/"))
 				.headers(headers -> headers
 						.httpStrictTransportSecurity(hsts -> hsts
-						.includeSubDomains(true)
-						.maxAgeInSeconds(40)
-						.preload(false)))
+								.includeSubDomains(true)
+								.maxAgeInSeconds(40)
+								.preload(false)))
+                .logout(config -> config.logoutSuccessUrl("/"))
 				.build();
     }
-	
-	
+
 	@Bean
 	public PasswordEncoder passwordEncoder() {
 	    return new BCryptPasswordEncoder();
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 540bcf5..38eb30f 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -10,6 +10,11 @@ spring:
     show-sql: false
     hibernate:
       ddl-auto: update
+  security:
+    user:
+      name: admin
+      password: admin123
+      roles: ADMIN
   ssl:
     bundle:
       pem:
@@ -119,7 +124,14 @@ jasypt:
     iv-generator-classname: org.jasypt.iv.NoIvGenerator
     password: builddb
 
+logging:
+  level:
+    org.springframework.security: debug
+
 management:
+  endpoint:
+    shutdown:
+      access: unrestricted
   endpoints:
     web:
       exposure: