Apply controller security config to all /{tenant}/controller/v1 but d…

…ownloads (#2022) Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
eclipse-hawkbit · Nov 12, 2024 · ca59da8 · ca59da8
1 parent 7902b89
commit ca59da8
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 14 deletions.
diff --git a/...n/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java b/...n/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerDownloadSecurityConfiguration.java
@@ -91,7 +91,7 @@ public FilterRegistrationBean<DosFilter> dosFilterDDIDL(final HawkbitSecurityPro
     }
 
     @Bean
-    @Order(301)
+    @Order(300) // higher priority than HawkBit DDI security, so that the DDI DL security is applied first
     protected SecurityFilterChain filterChainDDIDL(final HttpSecurity http) throws Exception {
         final AuthenticationManager authenticationManager = ControllerSecurityConfiguration.setAuthenticationManager(
                 http, ddiSecurityConfiguration);

diff --git a/.../src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java b/.../src/main/java/org/eclipse/hawkbit/autoconfigure/ddi/ControllerSecurityConfiguration.java
@@ -54,13 +54,7 @@
 class ControllerSecurityConfiguration {
 
     private static final String[] DDI_ANT_MATCHERS = {
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/confirmationBase/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/deploymentBase/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/installedBase/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/cancelAction/**",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/configData",
-            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/{controllerId}/softwaremodules/{softwareModuleId}/artifacts" };
+            DdiRestConstants.BASE_V1_REQUEST_MAPPING + "/**" };
 
     private final ControllerManagement controllerManagement;
     private final TenantConfigurationManagement tenantConfigurationManagement;
@@ -101,7 +95,7 @@ protected FilterRegistrationBean<DosFilter> dosFilterDDI(final HawkbitSecurityPr
     }
 
     @Bean
-    @Order(300)
+    @Order(301)
     protected SecurityFilterChain filterChainDDI(final HttpSecurity http) throws Exception {
         final AuthenticationManager authenticationManager = setAuthenticationManager(http, ddiSecurityConfiguration);
 
@@ -146,15 +140,13 @@ protected SecurityFilterChain filterChainDDI(final HttpSecurity http) throws Exc
             gatewaySecurityTokenFilter.setAuthenticationDetailsSource(authenticationDetailsSource);
 
             http
-                    .authorizeHttpRequests(amrmRegistry ->
-                            amrmRegistry.anyRequest().authenticated())
+                    .authorizeHttpRequests(amrmRegistry -> amrmRegistry.anyRequest().authenticated())
                     .anonymous(AbstractHttpConfigurer::disable)
                     .addFilter(securityHeaderFilter)
                     .addFilter(securityTokenFilter)
                     .addFilter(gatewaySecurityTokenFilter)
                     .exceptionHandling(configurer -> configurer.authenticationEntryPoint(
-                            (request, response, authException) ->
-                                    response.setStatus(HttpStatus.UNAUTHORIZED.value())))
+                            (request, response, authException) -> response.setStatus(HttpStatus.UNAUTHORIZED.value())))
                     .sessionManagement(configurer -> configurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
         }
 
@@ -175,4 +167,4 @@ static AuthenticationManager setAuthenticationManager(final HttpSecurity http, f
         http.authenticationManager(authenticationManager);
         return authenticationManager;
     }
-}
+}