From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password
---
pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java | 31 +++++++++++++++++++++++--------
1 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java b/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
index f548053..a546258 100644
--- a/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
+++ b/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
@@ -1,6 +1,6 @@
package com.pollex.pam.config;
-import com.pollex.pam.security.*;
+import com.pollex.pam.business.security.AuthoritiesConstants;
import com.pollex.pam.security.jwt.*;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
@@ -14,6 +14,8 @@
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
import org.springframework.web.filter.CorsFilter;
import org.zalando.problem.spring.web.advice.security.SecurityProblemSupport;
@@ -58,32 +60,45 @@
// @formatter:off
http
.csrf()
- .disable()
- .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
- .exceptionHandling()
- .authenticationEntryPoint(problemSupport)
- .accessDeniedHandler(problemSupport)
+ .ignoringAntMatchers("/api/**")
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .and()
+ .addFilterBefore(corsFilter, CsrfFilter.class)
+ .exceptionHandling()
+ .authenticationEntryPoint(problemSupport)
+ .accessDeniedHandler(problemSupport)
.and()
.headers()
.contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
.and()
.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
- .permissionsPolicy().policy("camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=()")
+ .featurePolicy("geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'")
.and()
.frameOptions()
.deny()
.and()
.sessionManagement()
- .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+ .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.authorizeRequests()
+ .antMatchers("/api/access_analysis/**").permitAll()
.antMatchers("/api/authenticate").permitAll()
+ .antMatchers("/api/logout").permitAll()
.antMatchers("/api/register").permitAll()
.antMatchers("/api/activate").permitAll()
+ .antMatchers("/api/testLogin/**").permitAll()
+ .antMatchers("/api/test/sendMsg/**").permitAll()
+ .antMatchers("/api/otp/**").permitAll()
+ .antMatchers("/api/login/validate/**").permitAll()
+ .antMatchers("/api/eService/authenticate/**").permitAll()
.antMatchers("/api/account/reset-password/init").permitAll()
.antMatchers("/api/account/reset-password/finish").permitAll()
.antMatchers("/api/consultant/recommend").permitAll()
+ .antMatchers("/api/consultant/detail").permitAll()
+ .antMatchers("/api/consultant/fastQuery").permitAll()
+ .antMatchers("/api/consultant/strictQuery").permitAll()
+ .antMatchers("/api/consultant/avatar/**").permitAll()
.antMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
.antMatchers("/api/**").authenticated()
.antMatchers("/websocket/**").authenticated()
--
Gitblit v1.8.0