Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use permitAll for CloudFoundry endpoints #32622

Open
jzheaux opened this issue Oct 6, 2022 · 3 comments
Open

Use permitAll for CloudFoundry endpoints #32622

jzheaux opened this issue Oct 6, 2022 · 3 comments
Labels
type: bug A general bug
Milestone
3.3.x

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Oct 6, 2022

Spring Security 5.8/6 supports delaying the lookup of the SecurityContext until an authorization rule requires it.

As such, it's preferred to use authorizeHttpRequests#permitAll over web.ignoring(). In the past web.ignoring() was added as a quick workaround to address the performance impact of looking up the SecurityContext on every request. Now, Spring Security defers that work until authorization-time and in the case of permitAll, no authorization is performed.

Consider the following application:

@Bean 
SecurityFilterChain app(HttpSecurity http) {
    http
        .authorizeHttpRequests((authorize) -> authorize
                .anyRequest().authenticated()
        )
        // ...

    return http.build();
}

@Bean 
WebSecurityCustomizer ignore() {
    return (web) -> web.ignoring().antMatchers("/cloudfoundry/**");
}

The behavior of the above application asks Spring Security to protect all endpoints other than /cloudfoundry.

As of Spring Security 5.7, this produces a warning that web.ignoring() is not recommended since this prevents Spring Security from using its WAF and writing secure HTTP response headers for those ignored endpoints.

Alternatively, the application can do the following:

@Bean 
SecurityFilterChain app(HttpSecurity http) {
    http
        .authorizeHttpRequests((authorize) -> authorize
                .mvcMatchers("/cloudfoundry/**").permitAll()
                .anyRequest().authenticated()
        )
        // ...

    return http.build();
}

Or, if it should be considered entirely separate:

@Bean 
SecurityFilterChain app(HttpSecurity http) {
    http
        .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
        // ...

    return http.build();
}

@Bean 
@Order(-1)
SecurityFilterChain cloudfoundry(HttpSecurity http) {
    http
        .securityMatchers((matches) -> matches.requestMatchers("/cloudfoundry/**"))
        .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll());

    return http.build();
}

This has the additional benefit of removing Spring Security's warning message.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 6, 2022
@mbhave mbhave added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 2, 2022
@mbhave mbhave added this to the 2.7.x milestone Nov 2, 2022
@mayrstefan mayrstefan mentioned this issue Nov 2, 2022
Closed
@somayaj
Copy link
Contributor

somayaj commented May 26, 2023
edited
Loading

Hi @mbhave @maystefan @jzheaux is this still a bug to be worked on?

@philwebb philwebb modified the milestones: 2.7.x, 3.1.x Nov 8, 2023
@somayaj
Copy link
Contributor

somayaj commented Feb 20, 2024

Hello, is there an agreement here on the approach to follow?

@scottfrederick
Copy link
Contributor

@somayaj We haven't had the time to look closer at this issue with other priorities we're working on.

@mhalbritter mhalbritter mentioned this issue Apr 16, 2024
Closed
@wilkinsona wilkinsona modified the milestones: 3.1.x, 3.2.x May 20, 2024
@philwebb philwebb modified the milestones: 3.2.x, 3.3.x Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug A general bug
Projects
None yet
Milestone
3.3.x
Development

No branches or pull requests
7 participants
@scottfrederick @philwebb @wilkinsona @mbhave @jzheaux @spring-projects-issues @somayaj