Security fixes applied

z-sztrom · z-sztrom · commit 7c771ce5e480 · 2025-04-29T10:38:20.000+02:00
diff --git a/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java b/publish-service/src/main/java/com/ericsson/eiffel/remrem/publish/config/SecurityConfig.java
@@ -30,6 +30,8 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
+import static org.apache.catalina.webresources.TomcatURLStreamHandlerFactory.disable;
+
 /**
  * This class is used to enable the ldap authentication based on property
  * activedirectory.publish.enabled = true in properties file.
@@ -110,7 +112,13 @@ protected void configure(HttpSecurity http) throws Exception {
             .httpBasic()
             .authenticationEntryPoint(customAuthenticationEntryPoint)
             .and()
-            .csrf();
-//                .disable();
+            .csrf()
+            // The application uses non-browser clients. Yes, there is swagger interface,
+            // but is's used only for testing/tuning.
+            //
+            // From https://docs.spring.io/spring-security/reference/features/exploits/csrf.html
+            // "If you are creating a service that is used only by non-browser clients,
+            //  you likely want to disable CSRF protection."
+            .disable();
     }
 }
