Skip to content
This repository has been archived by the owner on Nov 19, 2021. It is now read-only.

Disable Security at OASP4j (momentarily solution before migrating "Security Module") #20

Open
cbeldacap opened this issue Sep 12, 2016 · 0 comments
Open

Disable Security at OASP4j (momentarily solution before migrating "Security Module") #20

cbeldacap opened this issue Sep 12, 2016 · 0 comments
Assignees
@cbeldacap
Labels
bug module-security

Comments

@cbeldacap
Copy link
Collaborator

cbeldacap commented Sep 12, 2016
edited
Loading

Meaning

Due to the current state of the sample application, we've decided, just for now, before we understand how Security Module must work, to disable it so we can perform different HTTP operations. Applying this "solution" the server won't need to respond to an already logged user, and it will be possible to retrieve data lists from it.

Code Modification

It will be necessary to modify several files on the "oasp4j-sample-core" project.

BaseWebSecurityConfig.java --> (oasp4j-sample-core/src/main/java/io.oasp.gastronomy.restaurant/general/configuration/)

Enable CORS operations:

@Value("${security.cors.enabled}")
  boolean corsEnabled = true; // false -> true

Add REST operations' paths as usecured:

String[] unsecuredResources =
        new String[] { "/login", "/security/**", "/services/rest/login", "/services/rest/logout", "/services/rest/**" };

Comment the call to CsrfRequestMatcher:

// activate crsf check for a selection of urls (but not for login & logout)
// .csrf().requireCsrfProtectionMatcher(new CsrfRequestMatcher()).and()

Just right after that, disable CSRF

// disable CSRF filtering all together
.csrf().disable()

CsrfRequestMatcher.java --> (opas4j-sample-core/src/main/java/io/oasp/gastronomy/restaurant/general/common/impl/security)

Add paths without CSRF protection:

  // private static final String[] PATH_PREFIXES_WITHOUT_CSRF_PROTECTION =
  // { "/login", "/logout", "/services/rest/login", "/websocket" };

  private static final String[] PATH_PREFIXES_WITHOUT_CSRF_PROTECTION =
      { "/login", "/logout", "/services/rest/**", "/websocket" };

application.properties --> (oasp4j-sample-core/src/main/resources)

Enable CORS operations:

security.cors.enabled=true //false --> true

SpringBootApp.java --> (oasp4j-sample-core/src/main/java/io/oasp/gastronomy/restaurant/

// disable Global Security Method
@EnableGlobalMethodSecurity(jsr250Enabled = false)

Anyway, I put here how those 4 files should look like by the end of this configuration:

disabled_security_oasp4j.zip
@cbeldacap cbeldacap self-assigned this Sep 12, 2016
@cbeldacap cbeldacap changed the title Disable Security Module (momentarily soluction) Disable Security Module (momentarily solution) Sep 12, 2016
@cbeldacap cbeldacap changed the title Disable Security Module (momentarily solution) Disable Security at OASP4j (momentarily solution before migrating "Security Module") Sep 13, 2016
@cbeldacap cbeldacap mentioned this issue Jan 16, 2017
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cbeldacap cbeldacap

Labels
bug module-security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RobertoGM @cbeldacap