Add filterChain method to fix deprecated WebSecurityConfigurerAdapter (…

…#1840)
corona-warn-app · Jun 8, 2022 · 117834a · 117834a
1 parent 660dfaf
commit 117834a
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 13 deletions.
diff --git a/...callback/src/main/java/app/coronawarn/server/services/callback/config/SecurityConfig.java b/...callback/src/main/java/app/coronawarn/server/services/callback/config/SecurityConfig.java
@@ -13,18 +13,16 @@
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 
 @Configuration
-@EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig {
 
   private static final String CALLBACK_ROUTE =
       "/version/v1" + CallbackController.CALLBACK_ROUTE;
@@ -49,8 +47,14 @@ protected HttpFirewall strictFirewall() {
     return firewall;
   }
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+  /**
+   * Security Filter Chain bean is configured here because it is encouraged a more component-based approach.
+   * Before this we used to extend WebSecurityConfigurerAdapter (now deprecated) and Override the configure method.
+   *
+   * @return newly configured http bean
+   */
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry
         = http.authorizeRequests();
     expressionInterceptUrlRegistry
@@ -61,6 +65,7 @@ protected void configure(HttpSecurity http) throws Exception {
     expressionInterceptUrlRegistry
         .anyRequest().denyAll();
     http.headers().contentSecurityPolicy("default-src 'self'");
+    return http.build();
   }
 
 
@@ -71,7 +76,6 @@ protected void configure(HttpSecurity http) throws Exception {
    * @return UserDetailsService
    */
   @Bean
-  @Override
   public UserDetailsService userDetailsService() {
     return username -> {
       if (username.equals(callbackServiceConfig.getCertCn())) {

diff --git a/...ission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java b/...ission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
@@ -9,15 +9,13 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 import org.springframework.validation.beanvalidation.LocalValidatorFactoryBean;
 
 @Configuration
-@EnableWebSecurity
-public class SecurityConfig extends WebSecurityConfigurerAdapter {
+public class SecurityConfig {
 
   private static final String ACTUATOR_ROUTE = "/actuator";
   private static final String HEALTH_ROUTE = ACTUATOR_ROUTE + "/health";
@@ -38,14 +36,21 @@ protected HttpFirewall strictFirewall() {
     return firewall;
   }
 
-  @Override
-  protected void configure(HttpSecurity http) throws Exception {
+  /**
+   * Security Filter Chain bean is configured here because it is encouraged a more component-based approach.
+   * Before this we used to extend WebSecurityConfigurerAdapter (now deprecated) and Override the configure method.
+   *
+   * @return newly configured http bean
+   */
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     http.authorizeRequests()
         .mvcMatchers(HttpMethod.GET, HEALTH_ROUTE, PROMETHEUS_ROUTE, READINESS_ROUTE, LIVENESS_ROUTE).permitAll()
         .mvcMatchers(HttpMethod.POST, SUBMISSION_ROUTE, SUBMISSION_ON_BEHALF_ROUTE).permitAll()
         .anyRequest().denyAll()
         .and().csrf().disable();
     http.headers().contentSecurityPolicy("default-src 'self'");
+    return http.build();
   }
 
   /**