Package info.ejava.examples.svc.authn.users.security

Class ComponentBasedSecurityConfigurationWorkAround

java.lang.Object

info.ejava.examples.svc.authn.users.security.ComponentBasedSecurityConfigurationWorkAround

public class ComponentBasedSecurityConfigurationWorkAround
extends Object

Constructor Summary

Constructors

Constructor	Description
ComponentBasedSecurityConfigurationWorkAround()

Method Summary

Modifier and Type	Method	Description
org.springframework.security.web.SecurityFilterChain	apiSecurityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc)
org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer	apiStaticResources(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc)
org.springframework.security.authentication.AuthenticationManager	authnManager(org.springframework.security.config.annotation.web.builders.HttpSecurity http, List<org.springframework.security.core.userdetails.UserDetailsService> userDetailsServices)
private org.springframework.web.cors.CorsConfigurationSource	corsLimitedConfigurationSource()
org.springframework.web.cors.CorsConfigurationSource	corsPermitAllConfigurationSource()
org.springframework.security.web.SecurityFilterChain	defaultSecurityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
org.springframework.security.web.SecurityFilterChain	h2SecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http, org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc, org.springframework.security.authentication.AuthenticationManager authMgr)	Adding h2-console to application and protecting behind a FORM login fed off the application's authentication manager.
org.springframework.security.core.userdetails.UserDetailsService	jdbcUserDetailsService(DataSource userDataSource)
(package private) org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder	mvc(org.springframework.web.servlet.handler.HandlerMappingIntrospector introspector)	https://github.com/jzheaux/cve-2023-34035-mitigations An explicit MvcRequestMatcher.Builder is necessary when mixing SpringMvc with non-SpringMvc Servlets.
org.springframework.security.crypto.password.PasswordEncoder	passwordEncoder()
org.springframework.security.core.userdetails.UserDetailsService	sharedUserDetailsService(org.springframework.security.crypto.password.PasswordEncoder encoder)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

ComponentBasedSecurityConfigurationWorkAround

public ComponentBasedSecurityConfigurationWorkAround()

Method Details

mvc

@Bean
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc(org.springframework.web.servlet.handler.HandlerMappingIntrospector introspector)

https://github.com/jzheaux/cve-2023-34035-mitigations An explicit MvcRequestMatcher.Builder is necessary when mixing SpringMvc with non-SpringMvc Servlets. Enabling the H2 console puts us in that position. Dissabling (spring.h2.console.enabled=false) or being explicit as to which URI apply to SpringMvc avoids the problem.

Parameters:

introspector -

Returns:

apiStaticResources

@Bean
public org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer apiStaticResources(org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc)

apiSecurityFilterChain

@Bean
@Order(0)
public org.springframework.security.web.SecurityFilterChain apiSecurityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
 org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc)
                                                                            throws Exception

Throws:

Exception

authnManager

@Bean
public org.springframework.security.authentication.AuthenticationManager authnManager(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
 List<org.springframework.security.core.userdetails.UserDetailsService> userDetailsServices)
                                                                               throws Exception

Throws:

Exception

defaultSecurityFilterChain

@Bean
@Order(1000)
public org.springframework.security.web.SecurityFilterChain defaultSecurityFilterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http)
                                                                                throws Exception

Throws:

Exception

corsLimitedConfigurationSource

private org.springframework.web.cors.CorsConfigurationSource corsLimitedConfigurationSource()

corsPermitAllConfigurationSource

@Bean
public org.springframework.web.cors.CorsConfigurationSource corsPermitAllConfigurationSource()

passwordEncoder

@Bean
public org.springframework.security.crypto.password.PasswordEncoder passwordEncoder()

sharedUserDetailsService

@Bean
public org.springframework.security.core.userdetails.UserDetailsService sharedUserDetailsService(org.springframework.security.crypto.password.PasswordEncoder encoder)

jdbcUserDetailsService

@Bean
public org.springframework.security.core.userdetails.UserDetailsService jdbcUserDetailsService(DataSource userDataSource)

h2SecurityFilters

@Order(500)
@Bean
public org.springframework.security.web.SecurityFilterChain h2SecurityFilters(org.springframework.security.config.annotation.web.builders.HttpSecurity http,
 org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.Builder mvc,
 org.springframework.security.authentication.AuthenticationManager authMgr)
                                                                       throws Exception

Adding h2-console to application and protecting behind a FORM login fed off the application's authentication manager.

Parameters:

http -

authMgr -

Throws:

Exception