Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Restrict allowed actuator routes #540

Merged
merged 1 commit into from
Jun 11, 2020
Merged

Restrict allowed actuator routes #540

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions ...ission/src/main/java/app/coronawarn/server/services/submission/config/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,11 @@
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String ACTUATOR_ROUTE = "/actuator/**";
private static final String ACTUATOR_ROUTE = "/actuator/";
private static final String HEALTH_ROUTE = ACTUATOR_ROUTE + "health";
private static final String PROMETHEUS_ROUTE = ACTUATOR_ROUTE + "prometheus";
private static final String READINESS_ROUTE = ACTUATOR_ROUTE + "readiness";
private static final String LIVENESS_ROUTE = ACTUATOR_ROUTE + "liveness";
private static final String SUBMISSION_ROUTE =
"/version/v1" + SubmissionController.SUBMISSION_ROUTE;

Expand All @@ -51,7 +55,7 @@ protected HttpFirewall strictFirewall() {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.mvcMatchers(HttpMethod.GET, ACTUATOR_ROUTE).permitAll()
.mvcMatchers(HttpMethod.GET, HEALTH_ROUTE, PROMETHEUS_ROUTE, READINESS_ROUTE, LIVENESS_ROUTE).permitAll()
.mvcMatchers(HttpMethod.POST, SUBMISSION_ROUTE).permitAll()
.anyRequest().denyAll()
.and().csrf().disable();
Expand Down