Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
Restict allowed actuator routes (#540)
Browse files Browse the repository at this point in the history
  • Loading branch information
@MKusber @christian-kirschnick
MKusber authored and christian-kirschnick committed Jun 12, 2020
1 parent b3d7ae6 commit 9154764
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions ...ission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,11 @@
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String ACTUATOR_ROUTE = "/actuator/**";
private static final String ACTUATOR_ROUTE = "/actuator/";
private static final String HEALTH_ROUTE = ACTUATOR_ROUTE + "health";
private static final String PROMETHEUS_ROUTE = ACTUATOR_ROUTE + "prometheus";
private static final String READINESS_ROUTE = ACTUATOR_ROUTE + "readiness";
private static final String LIVENESS_ROUTE = ACTUATOR_ROUTE + "liveness";
private static final String SUBMISSION_ROUTE =
"/version/v1" + SubmissionController.SUBMISSION_ROUTE;

Expand All @@ -51,7 +55,7 @@ protected HttpFirewall strictFirewall() {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.mvcMatchers(HttpMethod.GET, ACTUATOR_ROUTE).permitAll()
.mvcMatchers(HttpMethod.GET, HEALTH_ROUTE, PROMETHEUS_ROUTE, READINESS_ROUTE, LIVENESS_ROUTE).permitAll()
.mvcMatchers(HttpMethod.POST, SUBMISSION_ROUTE).permitAll()
.anyRequest().denyAll()
.and().csrf().disable();
Expand Down

0 comments on commit 9154764

Please sign in to comment.