From 9e3dee861e3665cc0d794a0f2c494ae8df0967d4 Mon Sep 17 00:00:00 2001 From: Pavel Jares Date: Thu, 1 Feb 2024 10:54:05 +0100 Subject: [PATCH] ZAAS enabled Signed-off-by: Pavel Jares --- .../gateway/adapter/VersionAdapterUtils.java | 12 +- .../config/NewSecurityConfiguration.java | 264 +++++++++--------- 2 files changed, 135 insertions(+), 141 deletions(-) diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/adapter/VersionAdapterUtils.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/adapter/VersionAdapterUtils.java index e90a2a6d1e..918a57ea1c 100644 --- a/gateway-service/src/main/java/org/zowe/apiml/gateway/adapter/VersionAdapterUtils.java +++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/adapter/VersionAdapterUtils.java @@ -118,13 +118,13 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha }; } + final Adapter RESPONSE_ADAPTER = + new Adapter<>(org.apache.hc.core5.http.ClassicHttpResponse.class, org.apache.http.client.methods.CloseableHttpResponse.class); + final Adapter REQUEST_ADAPTER = + new Adapter<>(org.apache.http.HttpRequest.class, org.apache.hc.core5.http.ClassicHttpRequest.class); + final Adapter CONTEXT_ADAPTER = + new Adapter<>(org.apache.http.protocol.HttpContext.class, org.apache.hc.core5.http.protocol.HttpContext.class); public org.apache.http.impl.client.CloseableHttpClient httpClient4(org.apache.hc.client5.http.impl.classic.CloseableHttpClient i) { - final Adapter RESPONSE_ADAPTER = - new Adapter<>(org.apache.hc.core5.http.ClassicHttpResponse.class, org.apache.http.client.methods.CloseableHttpResponse.class); - final Adapter REQUEST_ADAPTER = - new Adapter<>(org.apache.http.HttpRequest.class, org.apache.hc.core5.http.ClassicHttpRequest.class); - final Adapter CONTEXT_ADAPTER = - new Adapter<>(org.apache.http.protocol.HttpContext.class, org.apache.hc.core5.http.protocol.HttpContext.class); return new org.apache.http.impl.client.CloseableHttpClient() { @Override diff --git a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java index dd000250d7..49af2f3f96 100644 --- a/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java +++ b/gateway-service/src/main/java/org/zowe/apiml/gateway/security/config/NewSecurityConfiguration.java @@ -19,21 +19,30 @@ import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.http.HttpMethod; +import org.springframework.http.HttpStatus; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler; import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.security.web.firewall.StrictHttpFirewall; +import org.springframework.security.web.util.matcher.RegexRequestMatcher; import org.zowe.apiml.filter.AttlsFilter; import org.zowe.apiml.filter.SecureConnectionFilter; +import org.zowe.apiml.gateway.controllers.AuthController; +import org.zowe.apiml.gateway.controllers.CacheServiceController; import org.zowe.apiml.gateway.controllers.SafResourceAccessController; +import org.zowe.apiml.gateway.error.controllers.InternalServerErrorController; +import org.zowe.apiml.gateway.filters.pre.ExtractAuthSourceFilter; import org.zowe.apiml.gateway.security.login.FailedAccessTokenHandler; import org.zowe.apiml.gateway.security.login.SuccessfulAccessTokenHandler; import org.zowe.apiml.gateway.security.login.x509.X509AuthenticationProvider; @@ -45,9 +54,11 @@ import org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService; import org.zowe.apiml.gateway.security.ticket.SuccessfulTicketHandler; import org.zowe.apiml.gateway.services.ServicesInfoController; +import org.zowe.apiml.gateway.zaas.ZaasAuthenticationFilter; import org.zowe.apiml.security.common.config.AuthConfigurationProperties; import org.zowe.apiml.security.common.config.CertificateAuthenticationProvider; import org.zowe.apiml.security.common.config.HandlerInitializer; +import org.zowe.apiml.security.common.config.SimpleUserDetailService; import org.zowe.apiml.security.common.content.BasicContentFilter; import org.zowe.apiml.security.common.content.BearerContentFilter; import org.zowe.apiml.security.common.content.CookieContentFilter; @@ -122,29 +133,28 @@ class AuthenticationFunctionality { @Bean public SecurityFilterChain authenticationFunctionalityFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense -// authConfigurationProperties.getGatewayLoginEndpoint(), -// authConfigurationProperties.getGatewayLoginEndpointOldFormat(), -// authConfigurationProperties.getGatewayLogoutEndpoint(), -// authConfigurationProperties.getGatewayLogoutEndpointOldFormat() -// ))) -// .authorizeRequests(requests -> requests -// .anyRequest().permitAll()) -// -// .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) -// .logout(logout -> logout -// .logoutRequestMatcher(new RegexRequestMatcher( -// String.format("(%s|%s)", -// authConfigurationProperties.getGatewayLogoutEndpoint(), -// authConfigurationProperties.getGatewayLogoutEndpointOldFormat()) -// , HttpMethod.POST.name())) -// .addLogoutHandler(logoutHandler()) -// .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT))) -// -// .authenticationProvider(compoundAuthProvider) // for authenticating credentials -// .authenticationProvider(new CertificateAuthenticationProvider()) // this is a dummy auth provider so the x509 prefiltering doesn't fail with nullpointer (no auth provider) or No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken -// .apply(new CustomSecurityFilters()); + baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense + authConfigurationProperties.getGatewayLoginEndpoint(), + authConfigurationProperties.getGatewayLoginEndpointOldFormat(), + authConfigurationProperties.getGatewayLogoutEndpoint(), + authConfigurationProperties.getGatewayLogoutEndpointOldFormat() + ))) + .authorizeRequests(requests -> requests + .anyRequest().permitAll()) + + .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) + .logout(logout -> logout + .logoutRequestMatcher(new RegexRequestMatcher( + String.format("(%s|%s)", + authConfigurationProperties.getGatewayLogoutEndpoint(), + authConfigurationProperties.getGatewayLogoutEndpointOldFormat()) + , HttpMethod.POST.name())) + .addLogoutHandler(logoutHandler()) + .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.NO_CONTENT))) + + .authenticationProvider(compoundAuthProvider) // for authenticating credentials + .authenticationProvider(new CertificateAuthenticationProvider()) // this is a dummy auth provider so the x509 prefiltering doesn't fail with nullpointer (no auth provider) or No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken + .apply(new CustomSecurityFilters()); return http.build(); } @@ -195,17 +205,16 @@ class AccessToken { @Bean public SecurityFilterChain accessTokenFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense -// authConfigurationProperties.getGatewayAccessTokenEndpoint() -// ))) -// .authorizeRequests(requests -> requests -// .anyRequest().permitAll()) -// .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) -// .authenticationProvider(compoundAuthProvider) // for authenticating credentials -// .authenticationProvider(tokenAuthenticationProvider) -// .authenticationProvider(new CertificateAuthenticationProvider()) // this is a dummy auth provider so the x509 prefiltering doesn't fail with nullpointer (no auth provider) or No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken -// .apply(new CustomSecurityFilters()); + baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense + authConfigurationProperties.getGatewayAccessTokenEndpoint() + ))) + .authorizeRequests(requests -> requests + .anyRequest().permitAll()) + .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) + .authenticationProvider(compoundAuthProvider) // for authenticating credentials + .authenticationProvider(tokenAuthenticationProvider) + .authenticationProvider(new CertificateAuthenticationProvider()) // this is a dummy auth provider so the x509 prefiltering doesn't fail with nullpointer (no auth provider) or No AuthenticationProvider found for org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken + .apply(new CustomSecurityFilters()); return http.build(); } @@ -248,16 +257,15 @@ class AuthenticationProtectedEndpoints { @Bean public SecurityFilterChain authProtectedEndpointsFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense -// authConfigurationProperties.getRevokeMultipleAccessTokens() + "/**", -// authConfigurationProperties.getEvictAccessTokensAndRules() -// ))) -// .authorizeRequests(requests -> requests -// .anyRequest().authenticated()) -// .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) -// .authenticationProvider(compoundAuthProvider) // for authenticating credentials -// .apply(new CustomSecurityFilters()); + baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense + authConfigurationProperties.getRevokeMultipleAccessTokens() + "/**", + authConfigurationProperties.getEvictAccessTokensAndRules() + ))) + .authorizeRequests(requests -> requests + .anyRequest().authenticated()) + .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) + .authenticationProvider(compoundAuthProvider) // for authenticating credentials + .apply(new CustomSecurityFilters()); return http.build(); } @@ -295,18 +303,17 @@ class ZaasEndpoints { @Bean public SecurityFilterChain authZaasEndpointsFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense -// authConfigurationProperties.getRevokeMultipleAccessTokens() + "/**", -// authConfigurationProperties.getEvictAccessTokensAndRules(), -// "/gateway/zaas/**" -// ))) -// .authorizeRequests(requests -> requests -// .anyRequest().authenticated()) -// .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) -// .addFilterAfter(new CategorizeCertsFilter(publicKeyCertificatesBase64, certificateValidator), org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter.class) -// .addFilterAfter(new ExtractAuthSourceFilter(authSourceService, authExceptionHandler), org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter.class) -// .addFilterAfter(new ZaasAuthenticationFilter(authSourceService, authExceptionHandler), CategorizeCertsFilter.class); + baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers( // no http method to catch all attempts to login and handle them here. Otherwise it falls to default filterchain and tries to route the calls, which doesnt make sense + authConfigurationProperties.getRevokeMultipleAccessTokens() + "/**", + authConfigurationProperties.getEvictAccessTokensAndRules(), + "/gateway/zaas/**" + ))) + .authorizeRequests(requests -> requests + .anyRequest().authenticated()) + .x509(x509 -> x509.userDetailsService(x509UserDetailsService())) + .addFilterAfter(new CategorizeCertsFilter(publicKeyCertificatesBase64, certificateValidator), org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter.class) + .addFilterAfter(new ExtractAuthSourceFilter(authSourceService, authExceptionHandler), org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter.class) + .addFilterAfter(new ZaasAuthenticationFilter(authSourceService, authExceptionHandler), CategorizeCertsFilter.class); return http.build(); } @@ -327,14 +334,13 @@ class Query { @Bean public SecurityFilterChain queryFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers( -// authConfigurationProperties.getGatewayQueryEndpoint(), -// authConfigurationProperties.getGatewayQueryEndpointOldFormat()))).authorizeRequests(requests -> requests -// .anyRequest().authenticated()) -// .authenticationProvider(tokenAuthenticationProvider) -// .logout(logout -> logout.disable()) // logout filter in this chain not needed -// .apply(new CustomSecurityFilters()); + baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers( + authConfigurationProperties.getGatewayQueryEndpoint(), + authConfigurationProperties.getGatewayQueryEndpointOldFormat()))).authorizeRequests(requests -> requests + .anyRequest().authenticated()) + .authenticationProvider(tokenAuthenticationProvider) + .logout(logout -> logout.disable()) // logout filter in this chain not needed + .apply(new CustomSecurityFilters()); return http.build(); } @@ -373,16 +379,15 @@ class Ticket { @Bean public SecurityFilterChain ticketFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers( -// authConfigurationProperties.getGatewayTicketEndpoint(), -// authConfigurationProperties.getGatewayTicketEndpointOldFormat() -// ))).authorizeRequests(requests -> requests -// .anyRequest().authenticated()) -// .authenticationProvider(tokenAuthenticationProvider) -// .logout(logout -> logout.disable()) // logout filter in this chain not needed -// .x509(x509 -> x509 //default x509 filter, authenticates trusted cert, ticketFilter(..) depends on this -// .userDetailsService(new SimpleUserDetailService())).apply(new CustomSecurityFilters()); + baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers( + authConfigurationProperties.getGatewayTicketEndpoint(), + authConfigurationProperties.getGatewayTicketEndpointOldFormat() + ))).authorizeRequests(requests -> requests + .anyRequest().authenticated()) + .authenticationProvider(tokenAuthenticationProvider) + .logout(logout -> logout.disable()) // logout filter in this chain not needed + .x509(x509 -> x509 //default x509 filter, authenticates trusted cert, ticketFilter(..) depends on this + .userDetailsService(new SimpleUserDetailService())).apply(new CustomSecurityFilters()); return http.build(); } @@ -422,17 +427,16 @@ class Refresh { @Bean public SecurityFilterChain refreshFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers( -// authConfigurationProperties.getGatewayRefreshEndpoint(), -// authConfigurationProperties.getGatewayRefreshEndpointOldFormat() -// ))).authorizeRequests(requests -> requests -// .anyRequest().authenticated()) -// .authenticationProvider(tokenAuthenticationProvider) -// .logout(logout -> logout.disable()) // logout filter in this chain not needed -// .x509(x509 -> x509 //default x509 filter, authenticates trusted cert, ticketFilter(..) depends on this -// .userDetailsService(new SimpleUserDetailService())) -// .apply(new CustomSecurityFilters()); + baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers( + authConfigurationProperties.getGatewayRefreshEndpoint(), + authConfigurationProperties.getGatewayRefreshEndpointOldFormat() + ))).authorizeRequests(requests -> requests + .anyRequest().authenticated()) + .authenticationProvider(tokenAuthenticationProvider) + .logout(logout -> logout.disable()) // logout filter in this chain not needed + .x509(x509 -> x509 //default x509 filter, authenticates trusted cert, ticketFilter(..) depends on this + .userDetailsService(new SimpleUserDetailService())) + .apply(new CustomSecurityFilters()); return http.build(); } @@ -467,16 +471,14 @@ private QueryFilter refreshFilter(String ticketEndpoint, AuthenticationManager a class CertificateProtectedEndpoints { @Bean public SecurityFilterChain certificateEndpointsFilterChain(HttpSecurity http) throws Exception { - return null; -// FIXME: -// return baseConfigure(http.requestMatchers(matchers -> matchers -// .antMatchers(HttpMethod.DELETE, CacheServiceController.CONTROLLER_PATH + "/**") -// .antMatchers(AuthController.CONTROLLER_PATH + AuthController.INVALIDATE_PATH, AuthController.CONTROLLER_PATH + AuthController.DISTRIBUTE_PATH)) -// ).authorizeRequests(requests -> requests -// .anyRequest().authenticated()) -// .logout(logout -> logout.disable()) // logout filter in this chain not needed -// .x509(x509 -> x509 // default x509 filter, authenticates trusted cert -// .userDetailsService(new SimpleUserDetailService())).build(); + return baseConfigure(http.securityMatchers(matchers -> matchers + .requestMatchers(HttpMethod.DELETE, CacheServiceController.CONTROLLER_PATH + "/**") + .requestMatchers(AuthController.CONTROLLER_PATH + AuthController.INVALIDATE_PATH, AuthController.CONTROLLER_PATH + AuthController.DISTRIBUTE_PATH)) + ).authorizeRequests(requests -> requests + .anyRequest().authenticated()) + .logout(logout -> logout.disable()) // logout filter in this chain not needed + .x509(x509 -> x509 // default x509 filter, authenticates trusted cert + .userDetailsService(new SimpleUserDetailService())).build(); } } @@ -501,14 +503,13 @@ class CertificateOrAuthProtectedEndpoints { @Bean public SecurityFilterChain certificateOrAuthEndpointsFilterChain(HttpSecurity http) throws Exception { -// FIXME: -// baseConfigure(http.requestMatchers(matchers -> matchers -// .antMatchers("/application/**") -// .antMatchers(HttpMethod.POST, SafResourceAccessController.FULL_CONTEXT_PATH) -// .antMatchers(ServicesInfoController.SERVICES_URL + "/**")) -// ).authorizeRequests(requests -> requests -// .anyRequest().authenticated()) -// .logout(logout -> logout.disable()); // logout filter in this chain not needed + baseConfigure(http.securityMatchers(matchers -> matchers + .requestMatchers("/application/**") + .requestMatchers(HttpMethod.POST, SafResourceAccessController.FULL_CONTEXT_PATH) + .requestMatchers(ServicesInfoController.SERVICES_URL + "/**")) + ).authorizeRequests(requests -> requests + .anyRequest().authenticated()) + .logout(logout -> logout.disable()); // logout filter in this chain not needed if (isAttlsEnabled) { http.x509(withDefaults()) @@ -521,9 +522,8 @@ public SecurityFilterChain certificateOrAuthEndpointsFilterChain(HttpSecurity ht return http.authenticationProvider(compoundAuthProvider) // for authenticating credentials .authenticationProvider(tokenAuthenticationProvider) // for authenticating Tokens .authenticationProvider(new CertificateAuthenticationProvider()) - // FIXME: - //.apply(new CustomSecurityFilters()) - //.and() + .apply(new CustomSecurityFilters()) + .and() .build(); } @@ -605,34 +605,30 @@ public WebSecurityCustomizer webSecurityCustomizer() { return web -> { web.httpFirewall(firewall); -// FIXME: -// -// // Endpoints that skip Spring Security completely -// // There is no CORS filter on these endpoints. If you require CORS processing, use a defined filter chain -// web.ignoring() -// .antMatchers(InternalServerErrorController.ERROR_ENDPOINT, "/error", -// "/application/health", "/application/info", "/application/version", -// AuthController.CONTROLLER_PATH + AuthController.ALL_PUBLIC_KEYS_PATH, -// AuthController.CONTROLLER_PATH + AuthController.CURRENT_PUBLIC_KEYS_PATH); -// -// if (isMetricsEnabled) { -// web.ignoring().antMatchers("/application/hystrixstream"); -// } + // Endpoints that skip Spring Security completely + // There is no CORS filter on these endpoints. If you require CORS processing, use a defined filter chain + web.ignoring() + .requestMatchers(InternalServerErrorController.ERROR_ENDPOINT, "/error", + "/application/health", "/application/info", "/application/version", + AuthController.CONTROLLER_PATH + AuthController.ALL_PUBLIC_KEYS_PATH, + AuthController.CONTROLLER_PATH + AuthController.CURRENT_PUBLIC_KEYS_PATH); + + if (isMetricsEnabled) { + web.ignoring().requestMatchers("/application/hystrixstream"); + } }; } } @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - return null; -// FIXME: -// return baseConfigure(http.requestMatchers(matchers -> matchers.antMatchers("/**", "/gateway/version"))) -// .authorizeRequests(requests -> requests -// .anyRequest() -// .permitAll()).logout(logout -> logout.disable()) -// // sort out client and apiml internal certificates -// .addFilterBefore(new CategorizeCertsFilter(publicKeyCertificatesBase64, certificateValidator), AnonymousAuthenticationFilter.class) -// .build(); + return baseConfigure(http.securityMatchers(matchers -> matchers.requestMatchers("/**", "/gateway/version"))) + .authorizeRequests(requests -> requests + .anyRequest() + .permitAll()).logout(logout -> logout.disable()) + // sort out client and apiml internal certificates + .addFilterBefore(new CategorizeCertsFilter(publicKeyCertificatesBase64, certificateValidator), AnonymousAuthenticationFilter.class) + .build(); } } @@ -645,13 +641,11 @@ protected HttpSecurity baseConfigure(HttpSecurity http) throws Exception { http.addFilterBefore(new SecureConnectionFilter(), AttlsFilter.class); } - return null; -// FIXME: -// return http -// .cors(withDefaults()).csrf(csrf -> csrf.disable()) // NOSONAR we are using SAMESITE cookie to mitigate CSRF -// .headers(headers -> headers.httpStrictTransportSecurity().and() -// .frameOptions().disable()).exceptionHandling(handling -> handling.authenticationEntryPoint(handlerInitializer.getBasicAuthUnauthorizedHandler())).sessionManagement(management -> management.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) -// .exceptionHandling(handling -> handling.authenticationEntryPoint(handlerInitializer.getBasicAuthUnauthorizedHandler())); + return http + .cors(withDefaults()).csrf(csrf -> csrf.disable()) // NOSONAR we are using SAMESITE cookie to mitigate CSRF + .headers(headers -> headers.httpStrictTransportSecurity().and() + .frameOptions().disable()).exceptionHandling(handling -> handling.authenticationEntryPoint(handlerInitializer.getBasicAuthUnauthorizedHandler())).sessionManagement(management -> management.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .exceptionHandling(handling -> handling.authenticationEntryPoint(handlerInitializer.getBasicAuthUnauthorizedHandler())); } private UserDetailsService x509UserDetailsService() {