Harden Spring Security configuration and enforce HTTPS
- All requests now require HTTPS. - Stateless sessions enabled for JWT-based auth. - XSS, HSTS, and Frame-Options headers added. - /api/auth/** is public, all other routes require authentication. - CSRF disabled (assumes token-based auth).
This commit is contained in:
@@ -1,23 +1,51 @@
|
|||||||
// package com.skycrate.backend.skycrateBackend.config;
|
package com.skycrate.backend.skycrateBackend.config;
|
||||||
|
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.http.HttpMethod;
|
||||||
|
import org.springframework.security.authentication.AuthenticationProvider;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||||
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
|
import org.springframework.security.web.header.writers.HstsHeaderWriter;
|
||||||
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||||
|
|
||||||
// import org.springframework.context.annotation.Bean;
|
@Configuration
|
||||||
// import org.springframework.context.annotation.Configuration;
|
public class SecurityConfig {
|
||||||
// import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|
||||||
// import org.springframework.security.web.SecurityFilterChain;
|
|
||||||
|
|
||||||
// @Configuration
|
private final AuthenticationProvider authenticationProvider;
|
||||||
// public class SecurityConfig {
|
|
||||||
|
|
||||||
// @Bean
|
public SecurityConfig(AuthenticationProvider authenticationProvider) {
|
||||||
// public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
this.authenticationProvider = authenticationProvider;
|
||||||
// http
|
}
|
||||||
// .csrf(csrf -> csrf.disable()) // Disable CSRF for testing APIs
|
|
||||||
// .authorizeHttpRequests(auth -> auth
|
|
||||||
// .requestMatchers("/api/hdfs/**").permitAll() // Allow HDFS endpoints
|
|
||||||
// .anyRequest().authenticated() // Everything else needs auth
|
|
||||||
// );
|
|
||||||
|
|
||||||
// return http.build();
|
@Bean
|
||||||
// }
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
// }
|
http
|
||||||
|
.csrf(csrf -> csrf.disable()) // if using JWT; enable if using sessions
|
||||||
|
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
|
||||||
|
.authenticationProvider(authenticationProvider)
|
||||||
|
.authorizeHttpRequests(auth -> auth
|
||||||
|
.requestMatchers("/api/auth/**").permitAll()
|
||||||
|
.requestMatchers(HttpMethod.GET, "/public/**").permitAll()
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
)
|
||||||
|
.requiresChannel(channel -> channel
|
||||||
|
.anyRequest().requiresSecure()
|
||||||
|
)
|
||||||
|
.headers(headers -> headers
|
||||||
|
.httpStrictTransportSecurity(hsts -> hsts
|
||||||
|
.includeSubDomains(true)
|
||||||
|
.maxAgeInSeconds(31536000)
|
||||||
|
)
|
||||||
|
.xssProtection(xss -> xss
|
||||||
|
.block(true)
|
||||||
|
)
|
||||||
|
.frameOptions(frame -> frame
|
||||||
|
.deny()
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
return http.build();
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user