Experimenting with removing anyRequest()

department-of-veterans-affairs · Oct 14, 2023 · 6a0512a · 6a0512a
1 parent 699ddef
commit 6a0512a
Showing 1 changed file with 10 additions and 27 deletions.
diff --git a/app/src/main/java/gov/va/vro/config/SecurityConfig.java b/app/src/main/java/gov/va/vro/config/SecurityConfig.java
@@ -15,7 +15,6 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 @Configuration
 @EnableWebSecurity
@@ -83,23 +82,15 @@ public SecurityFilterChain apikeyFilterChain(HttpSecurity httpSecurity) throws E
         .authorizeHttpRequests(
             (authz) -> {
               authz
-                  .requestMatchers(claimInfo)
-                  .permitAll()
-                  .requestMatchers(claimMetrics)
-                  .permitAll()
-                  .requestMatchers(evidencePdf)
-                  .permitAll()
-                  .requestMatchers(fullHealth)
-                  .permitAll()
-                  .requestMatchers(healthAssessment)
-                  .permitAll()
-                  .requestMatchers(immediatePdf)
-                  .permitAll()
-                  .requestMatchers(ACTUATOR_URLS)
-                  .permitAll()
-                  .requestMatchers(V3_URLS)
-                  .permitAll()
-                  .anyRequest()
+                  .requestMatchers(
+                      claimInfo,
+                      claimMetrics,
+                      evidencePdf,
+                      fullHealth,
+                      healthAssessment,
+                      immediatePdf,
+                      ACTUATOR_URLS,
+                      V3_URLS)
                   .authenticated();
             })
         .csrf(AbstractHttpConfigurer::disable)
@@ -134,15 +125,7 @@ public SecurityFilterChain jwtFilterChain(HttpSecurity httpSecurity) throws Exce
         .authorizeHttpRequests(
             (authz) ->
                 authz
-                    .requestMatchers(new AntPathRequestMatcher(automatedClaim))
-                    .permitAll()
-                    .requestMatchers(new AntPathRequestMatcher(examOrder))
-                    .permitAll()
-                    .requestMatchers(new AntPathRequestMatcher(ACTUATOR_URLS))
-                    .permitAll()
-                    .requestMatchers(new AntPathRequestMatcher(V3_URLS))
-                    .permitAll()
-                    .anyRequest()
+                    .requestMatchers(automatedClaim, examOrder, ACTUATOR_URLS, V3_URLS)
                     .authenticated())
         .csrf(AbstractHttpConfigurer::disable)
         .sessionManagement(