From ab6ffc26e880e9f421002db5129fdaafd049e817 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sevket=20G=C3=B6kay?= <sevketgokay@gmail.com>
Date: Thu, 15 Aug 2024 06:42:00 +0200
Subject: [PATCH 1/3] exclude websocket paths from spring security (#1523)

---
 .../java/de/rwth/idsg/steve/config/SecurityConfiguration.java    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java b/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
index af474449f..d866ee323 100644
--- a/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
+++ b/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
@@ -99,6 +99,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                     .requestMatchers(
                         "/static/**",
                         CONFIG.getCxfMapping() + "/**",
+                        WebSocketConfiguration.PATH_INFIX + "**",
                         "/WEB-INF/views/**" // https://github.com/spring-projects/spring-security/issues/13285#issuecomment-1579097065
                     ).permitAll()
                     .requestMatchers(prefix + "/**").hasRole("ADMIN")

From 7e54c34e087a3c3ebda382381271a3499306fd3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sevket=20G=C3=B6kay?= <sevketgokay@gmail.com>
Date: Thu, 15 Aug 2024 07:44:53 +0200
Subject: [PATCH 2/3] disable CSRF for SOAP endpoints

---
 .../java/de/rwth/idsg/steve/config/SecurityConfiguration.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java b/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
index d866ee323..e9f90a5f1 100644
--- a/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
+++ b/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
@@ -104,6 +104,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                     ).permitAll()
                     .requestMatchers(prefix + "/**").hasRole("ADMIN")
             )
+            // SOAP stations are making POST calls for communication. even though the following path is permitted for
+            // all access, there is a global default behaviour from spring security: enable CSRF for all POSTs.
+            // we need to disable CSRF for SOAP paths explicitly.
+            .csrf(c -> c.ignoringRequestMatchers(CONFIG.getCxfMapping() + "/**"))
             .sessionManagement(
                 req -> req.invalidSessionUrl(prefix + "/signin")
             )

From ae47c8413fe7635135d1f97a702f04508d80355d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sevket=20G=C3=B6kay?= <sevketgokay@gmail.com>
Date: Thu, 15 Aug 2024 07:50:36 +0200
Subject: [PATCH 3/3] enable spring security for all profiles

reason: so far, spring security was enabled only for prod profile. the tests were running
with test profile. therefore, any security-related issue/regression was not detected.
---
 .../java/de/rwth/idsg/steve/Application.java     |  2 +-
 .../java/de/rwth/idsg/steve/SteveAppContext.java | 16 +++++++---------
 .../idsg/steve/config/SecurityConfiguration.java |  6 +-----
 3 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/src/main/java/de/rwth/idsg/steve/Application.java b/src/main/java/de/rwth/idsg/steve/Application.java
index 5164d7842..2682f72a3 100644
--- a/src/main/java/de/rwth/idsg/steve/Application.java
+++ b/src/main/java/de/rwth/idsg/steve/Application.java
@@ -46,9 +46,9 @@ public Application() {
 
         switch (sc.getProfile()) {
             case DEV:
+            case TEST:
                 delegate = new SteveDevStarter();
                 break;
-            case TEST:
             case PROD:
                 delegate = new SteveProdStarter();
                 break;
diff --git a/src/main/java/de/rwth/idsg/steve/SteveAppContext.java b/src/main/java/de/rwth/idsg/steve/SteveAppContext.java
index bd8829191..f94dce2ad 100644
--- a/src/main/java/de/rwth/idsg/steve/SteveAppContext.java
+++ b/src/main/java/de/rwth/idsg/steve/SteveAppContext.java
@@ -110,15 +110,13 @@ private WebAppContext initWebApp() {
         ctx.addServlet(web, CONFIG.getSpringMapping());
         ctx.addServlet(cxf, CONFIG.getCxfMapping() + "/*");
 
-        if (CONFIG.getProfile().isProd()) {
-            // If PROD, add security filter
-            ctx.addFilter(
-                // The bean name is not arbitrary, but is as expected by Spring
-                new FilterHolder(new DelegatingFilterProxy(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)),
-                CONFIG.getSpringMapping() + "*",
-                EnumSet.allOf(DispatcherType.class)
-            );
-        }
+        // add spring security
+        ctx.addFilter(
+            // The bean name is not arbitrary, but is as expected by Spring
+            new FilterHolder(new DelegatingFilterProxy(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)),
+            CONFIG.getSpringMapping() + "*",
+            EnumSet.allOf(DispatcherType.class)
+        );
 
         initJSP(ctx);
         return ctx;
diff --git a/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java b/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
index e9f90a5f1..4687cce91 100644
--- a/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
+++ b/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
@@ -20,12 +20,9 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Strings;
-import de.rwth.idsg.steve.SteveProdCondition;
 import de.rwth.idsg.steve.web.api.ApiControllerAdvice;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
@@ -34,7 +31,6 @@
 import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -52,6 +48,7 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+
 import java.io.IOException;
 
 import static de.rwth.idsg.steve.SteveConfiguration.CONFIG;
@@ -63,7 +60,6 @@
 @Slf4j
 @Configuration
 @EnableWebSecurity
-@Conditional(SteveProdCondition.class)
 public class SecurityConfiguration {
 
     /**