Add HSTS, ignore csrf on shutdown endpoint, clean up sonarqube issues.

author: William Harrington <kb0iic@berzerkula.org> 2025-02-17 08:54:54 -0600
committer: William Harrington <kb0iic@berzerkula.org> 2025-02-17 08:54:54 -0600
commit: 9eaa667c15a6d931ea371c176dffa32e81b01a2d (patch)
tree: 85862c7f8af06ac913712f32a94e1ed49d943cd5 /src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
parent: 7d16ce128e09833b370fc923c05f9685c0808bcb (diff)
1 files changed, 9 insertions, 7 deletions
diff --git a/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java b/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
index da4b088..9e1ae1d 100644
--- a/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
+++ b/src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
@@ -18,11 +18,12 @@ public class SecurityConfig {
 	@Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         return http
+				.securityMatcher("/**")
 				//.requiresChannel(channel -> channel.anyRequest().requiresSecure())
                 .authorizeHttpRequests( auth -> auth
                 		.requestMatchers("/").permitAll()
 						.requestMatchers("/actuator/health","/actuator/info").permitAll()
-						.requestMatchers("/actuator/**").hasRole(BuilddbConstants.ROLE_ADMIN)
+						.requestMatchers("/actuator/beans", "/actuator/env", "actuator/metrics", "/actuator/shutdown").hasRole(BuilddbConstants.ROLE_ADMIN)
 						.requestMatchers("/contact").permitAll()
 	                    .requestMatchers("/pkgs/**").hasRole(BuilddbConstants.ROLE_CLIENT)
 	                    .requestMatchers("/register").permitAll()
@@ -30,22 +31,23 @@ public class SecurityConfig {
 	                    .requestMatchers("/logout").permitAll()
 	                    .anyRequest().authenticated()
                 )
+				.csrf(csrf -> csrf
+						.ignoringRequestMatchers("/actuator/shutdown"))
                 .formLogin(form -> form
                 		.loginPage("/login")
                 		.usernameParameter("email")
                 		.passwordParameter("password")
                 		.defaultSuccessUrl("/", true)
                 )
-                .logout(config -> config.logoutSuccessUrl("/"))
 				.headers(headers -> headers
 						.httpStrictTransportSecurity(hsts -> hsts
-						.includeSubDomains(true)
-						.maxAgeInSeconds(40)
-						.preload(false)))
+								.includeSubDomains(true)
+								.maxAgeInSeconds(40)
+								.preload(false)))
+                .logout(config -> config.logoutSuccessUrl("/"))
 				.build();
     }
-	
-	
+
 	@Bean
 	public PasswordEncoder passwordEncoder() {
 	    return new BCryptPasswordEncoder();
author	William Harrington <kb0iic@berzerkula.org>	2025-02-17 08:54:54 -0600
committer	William Harrington <kb0iic@berzerkula.org>	2025-02-17 08:54:54 -0600
commit	9eaa667c15a6d931ea371c176dffa32e81b01a2d (patch)
tree	85862c7f8af06ac913712f32a94e1ed49d943cd5 /src/main/java/org/berzerkula/builddb/config/SecurityConfig.java
parent	7d16ce128e09833b370fc923c05f9685c0808bcb (diff)