From 46c50af68b4773d1d48747fcab83b3ef5fa0a8ee Mon Sep 17 00:00:00 2001
From: Marc <phrocker@apache.org>
Date: Tue, 23 Sep 2025 09:42:54 -0400
Subject: [PATCH 1/2] Rdpfactory (#7)

* Implement RDP proxy module with Sentrius integration
---
 .local.env                                    |   6 +-
 .local.env.bak                                |   6 +-
 .../controllers/api/HostApiController.java    |   2 +-
 .../startup/ConfigurationApplicationTask.java | 120 +++++++++++-------
 .../templates/sso/enclaves/list_servers.html  |   4 +-
 .../sentrius/sso/core/dto/HostSystemDTO.java  |   7 +-
 .../sso/core/services/security/JwtUtil.java   |  16 +++
 .../sentrius/sso/core/model/HostSystem.java   |  17 ++-
 .../core/repository/ProfileRepository.java    |   5 +
 .../sso/core/services/UserService.java        |  10 ++
 .../IntegrationSecurityTokenService.java      |   1 -
 .../realms/sentrius-realm.json.template       |   5 +-
 docker/sentrius/demoInstaller.yml             |   7 +-
 ops-scripts/base/build-images.sh              |  22 +++-
 ops-scripts/local/deploy-helm.sh              |   2 +-
 .../sso/rdpproxy/config/SecurityConfig.java   |   1 +
 .../security/RdpProxySecurityConfig.java      |   1 +
 17 files changed, 157 insertions(+), 75 deletions(-)

diff --git a/.local.env b/.local.env
index cfa37f72..4eecd0ea 100644
--- a/.local.env
+++ b/.local.env
@@ -1,10 +1,10 @@
-SENTRIUS_VERSION=1.1.510
+SENTRIUS_VERSION=1.1.523
 SENTRIUS_SSH_VERSION=1.1.45
-SENTRIUS_KEYCLOAK_VERSION=1.1.60
+SENTRIUS_KEYCLOAK_VERSION=1.1.64
 SENTRIUS_AGENT_VERSION=1.1.51
 SENTRIUS_AI_AGENT_VERSION=1.1.287
 LLMPROXY_VERSION=1.0.88
 LAUNCHER_VERSION=1.0.91
 AGENTPROXY_VERSION=1.0.92
 SSHPROXY_VERSION=1.0.91
-RDPPROXY_VERSION=1.0.122
\ No newline at end of file
+RDPPROXY_VERSION=1.0.122
diff --git a/.local.env.bak b/.local.env.bak
index cfa37f72..4eecd0ea 100644
--- a/.local.env.bak
+++ b/.local.env.bak
@@ -1,10 +1,10 @@
-SENTRIUS_VERSION=1.1.510
+SENTRIUS_VERSION=1.1.523
 SENTRIUS_SSH_VERSION=1.1.45
-SENTRIUS_KEYCLOAK_VERSION=1.1.60
+SENTRIUS_KEYCLOAK_VERSION=1.1.64
 SENTRIUS_AGENT_VERSION=1.1.51
 SENTRIUS_AI_AGENT_VERSION=1.1.287
 LLMPROXY_VERSION=1.0.88
 LAUNCHER_VERSION=1.0.91
 AGENTPROXY_VERSION=1.0.92
 SSHPROXY_VERSION=1.0.91
-RDPPROXY_VERSION=1.0.122
\ No newline at end of file
+RDPPROXY_VERSION=1.0.122
diff --git a/api/src/main/java/io/sentrius/sso/controllers/api/HostApiController.java b/api/src/main/java/io/sentrius/sso/controllers/api/HostApiController.java
index c724135a..6dc89621 100644
--- a/api/src/main/java/io/sentrius/sso/controllers/api/HostApiController.java
+++ b/api/src/main/java/io/sentrius/sso/controllers/api/HostApiController.java
@@ -317,7 +317,7 @@ public ResponseEntity<Map<String, Object>> initiateRdpSession(
             
             // Validate access to the host group
             Optional<HostGroup> hostGroupOpt = hostGroupService.getHostGroupWithHostSystems(user, enclaveId);
-            if (hostGroupOpt.isEmpty()) {
+            if (!AccessUtil.canAccess(user, SSHAccessEnum.CAN_MANAGE_SYSTEMS) && hostGroupOpt.isEmpty() ) {
                 // log.warn("User {} does not have access to host group {}", user.getUsername(), enclaveId);
                 return ResponseEntity.badRequest().build();
             }
diff --git a/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java b/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
index 729b18ca..404959e8 100644
--- a/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
+++ b/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
@@ -2,7 +2,9 @@
 
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.DigestInputStream;
 import java.security.GeneralSecurityException;
@@ -14,6 +16,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 import java.util.UUID;
@@ -89,60 +92,82 @@ public class ConfigurationApplicationTask {
     @EventListener(ApplicationReadyEvent.class)
     @Transactional
     public void afterStartup() throws IOException, GeneralSecurityException, JSchException, SQLException {
-        // Your logic here
+        String yamlPath = systemOptions.getYamlConfiguration();
+        if (StringUtils.isEmpty(yamlPath)) {
+            log.info("No configuration file found");
+            return;
+        }
 
-        if (!StringUtils.isEmpty(systemOptions.getYamlConfiguration())) {
-            log.info("Checking for configuration file {}", systemOptions.getYamlConfiguration());
-            var digestStream = new DigestInputStream(
-                new FileInputStream(systemOptions.getYamlConfiguration()),
-                MessageDigest.getInstance("SHA256")
-            );
-            MessageDigest digest = digestStream.getMessageDigest();
-            var hash = new String(digest.digest());
-
-            AtomicBoolean recreate = new AtomicBoolean(false);
-            configurationOptionRepository.findLatestByConfigurationName("yamlConfigurationFileHash")
-                .ifPresentOrElse(
-                    configurationOption -> {
-                        if (!hash.equals(configurationOption.getConfigurationValue())) {
-                            log.info("Configuration file hash has changed, recreating database");
-                            recreate.set(true);
-                        }else {
-                            log.info("Configuration file hash has not changed");
-                        }
-                        configurationOption.setConfigurationValue(hash);
-                        configurationOptionRepository.save(configurationOption);
-                    },
-                    () -> {
-                        log.info("No configuration file hash found, creating one");
-                        var configurationOption = new ConfigurationOption();
-                        configurationOption.setConfigurationName("yamlConfigurationFileHash");
-                        configurationOption.setConfigurationValue(hash);
-                        configurationOptionRepository.save(configurationOption);
-                        recreate.set(true);
-                    }
-                );
+        Path yamlFile = Paths.get(yamlPath);
+        if (!Files.exists(yamlFile)) {
+            log.warn("Configuration file {} not found", yamlFile);
+            return;
+        }
 
-            Boolean deleteFile = systemOptions.getDeleteYamlConfigurationFile();
-            if (null == deleteFile) {
-                deleteFile = true;
-            }
-            if (deleteFile) {
-                Files.delete(Paths.get(systemOptions.getYamlConfiguration()));
+        log.info("Checking for configuration file {}", yamlFile);
+
+        // --- Compute SHA-256 hash of file ---
+        String hash;
+        try {
+            MessageDigest md = MessageDigest.getInstance("SHA-256");
+            try (InputStream in = Files.newInputStream(yamlFile);
+                 DigestInputStream dis = new DigestInputStream(in, md)) {
+                byte[] buffer = new byte[8192];
+                while (dis.read(buffer) != -1) {
+                    // Consume stream fully to update digest
+                }
             }
+            byte[] digest = md.digest();
+            StringBuilder sb = new StringBuilder(digest.length * 2);
+            for (byte b : digest) sb.append(String.format("%02x", b));
+            hash = sb.toString();
+        } catch (Exception e) {
+            throw new IOException("Unable to compute SHA-256 for " + yamlFile, e);
+        }
+
+        AtomicBoolean recreate = new AtomicBoolean(false);
+
+        configurationOptionRepository.findLatestByConfigurationName("yamlConfigurationFileHash")
+            .ifPresentOrElse(existing -> {
+                String oldHash = existing.getConfigurationValue();
+                if (!hash.equalsIgnoreCase(oldHash)) {
+                    log.info("Configuration file hash changed. Recreating database.");
+                    recreate.set(true);
+                } else {
+                    log.info("Configuration file hash unchanged ({}).", hash);
+                }
+                existing.setConfigurationValue(hash);
+                configurationOptionRepository.save(existing);
+            }, () -> {
+                log.info("No configuration file hash found; creating one.");
+                var option = new ConfigurationOption();
+                option.setConfigurationName("yamlConfigurationFileHash");
+                option.setConfigurationValue(hash);
+                configurationOptionRepository.save(option);
+                recreate.set(true);
+            });
+
+        Boolean deleteFile = systemOptions.getDeleteYamlConfigurationFile();
+        if (deleteFile == null) deleteFile = true;
 
-            if (recreate.get()) {
-                log.info("Recreating database");
-                var installConfiguration =
-                    InstallConfiguration.fromYaml(new FileInputStream(systemOptions.getYamlConfiguration()));
-                // recreate the database
+        if (deleteFile) {
+            try {
+                Files.deleteIfExists(yamlFile);
+                log.info("Deleted configuration file {}", yamlFile);
+            } catch (IOException e) {
+                log.warn("Failed to delete configuration file {}", yamlFile, e);
+            }
+        }
 
+        if (recreate.get()) {
+            log.info("Recreating database using configuration {}", yamlFile);
+            try (InputStream in = Files.newInputStream(yamlFile)) {
+                var installConfiguration = InstallConfiguration.fromYaml(in);
                 initialize(installConfiguration, true);
             }
-        } else {
-            log.info("No configuration file found");
         }
     }
+
     @Transactional
     public List<SideEffect> createStaticType(UserType type, boolean action) throws SQLException,
         GeneralSecurityException {
@@ -498,9 +523,11 @@ protected List<SideEffect> createSystems(InstallConfiguration installConfigurati
         if (null != installConfiguration.getSystems()) {
             for (var system : installConfiguration.getSystems()) {
                 var systemObj = HostSystem.fromDTO(system);
+                log.info("Processing system {} with host {} and port {}", systemObj.getDisplayName(), systemObj.getHost(), systemObj.getPort());
                 if ( shouldInsertSystem(systemObj)) {
                     if (action) {
                         var sys = systemRepository.save(systemObj);
+                        log.info("Creating system {}, with id {}", system.getDisplayName(), sys.getId());
                     }
                     sideEffects.add(
                         SideEffect.builder().sideEffectDescription("Creating system " + system.getDisplayName()).type(
@@ -518,7 +545,8 @@ protected boolean shouldInsertSystem(HostSystem systemObj) {
             return true;
         }
         for(HostSystem system : systems) {
-            if (system.getHost().equals(systemObj.getHost()) && system.getPort() == systemObj.getPort()) {
+            if (system.getHost().equals(systemObj.getHost()) && Objects.equals(system.getPort(), systemObj.getPort())) {
+                log.info("System {} with host {} and port {} already exists", systemObj.getDisplayName(), systemObj.getHost(), systemObj.getPort());
                 return false;
             }
         }
diff --git a/api/src/main/resources/templates/sso/enclaves/list_servers.html b/api/src/main/resources/templates/sso/enclaves/list_servers.html
index 14f09adc..2606f213 100755
--- a/api/src/main/resources/templates/sso/enclaves/list_servers.html
+++ b/api/src/main/resources/templates/sso/enclaves/list_servers.html
@@ -167,7 +167,6 @@ <h3>Assigned RDP Servers</h3>
                 <th>System Name</th>
                 <th>Hostname</th>
                 <th>Host Enclave</th>
-                <th>User</th>
                 <th>Operations</th>
             </tr>
             </thead>
@@ -626,8 +625,7 @@ <h5 class="modal-title" id="rdpModalLabel">RDP Session - <span id="rdpHostName">
                 { data: 'displayName' },
                 { data: 'displayName' },
                 { data: 'group.displayName' },
-                { data: 'rdpUser' },
-                {
+               {
                     data: null,
                     render: function(data, type, row) {
                         const groupId = row.group ? row.group.groupId : -1; // Access group.id
diff --git a/core/src/main/java/io/sentrius/sso/core/dto/HostSystemDTO.java b/core/src/main/java/io/sentrius/sso/core/dto/HostSystemDTO.java
index 10c5a4dc..fdac9bd3 100644
--- a/core/src/main/java/io/sentrius/sso/core/dto/HostSystemDTO.java
+++ b/core/src/main/java/io/sentrius/sso/core/dto/HostSystemDTO.java
@@ -25,9 +25,8 @@ public class HostSystemDTO {
 
     private String authorizedKeys;
 
-    @Builder.Default
-    private boolean isRdp = false;
-    private boolean rdpUser;
-    private boolean rdpPassword;
+    private boolean isRdp;
+    private String rdpUser;
+    private String rdpPassword;
 
 }
diff --git a/core/src/main/java/io/sentrius/sso/core/services/security/JwtUtil.java b/core/src/main/java/io/sentrius/sso/core/services/security/JwtUtil.java
index e9e45b05..36a4faae 100644
--- a/core/src/main/java/io/sentrius/sso/core/services/security/JwtUtil.java
+++ b/core/src/main/java/io/sentrius/sso/core/services/security/JwtUtil.java
@@ -1,9 +1,12 @@
 package io.sentrius.sso.core.services.security;
 
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.Base64;
+import java.util.List;
 import java.util.Optional;
 import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import io.jsonwebtoken.Jwts;
@@ -88,6 +91,19 @@ public static Optional<String> getUserTypeName(ObjectNode jwt) {
 
     }
 
+    public static Optional<List<String>> getGroups(ObjectNode jwt) {
+        return Optional.ofNullable(jwt.get("claims"))
+            .map(c -> c.get("assignedGroups"))
+            .filter(JsonNode::isArray)
+            .map(arr -> {
+                List<String> groups = new ArrayList<>();
+                arr.forEach(n -> groups.add(n.asText()));
+                return groups;
+            });
+    }
+
+
+
     public static String extractKid(String jwt) {
         try {
             // Strip "Bearer " prefix if present
diff --git a/dataplane/src/main/java/io/sentrius/sso/core/model/HostSystem.java b/dataplane/src/main/java/io/sentrius/sso/core/model/HostSystem.java
index 9325492a..a2706ecb 100644
--- a/dataplane/src/main/java/io/sentrius/sso/core/model/HostSystem.java
+++ b/dataplane/src/main/java/io/sentrius/sso/core/model/HostSystem.java
@@ -153,8 +153,8 @@ public HostSystemDTO toDTO() {
         dto.statusCd(this.statusCd);
         if (rdpEnabled) {
             dto.isRdp(true);
-            dto.rdpUser(rdpUser != null && !rdpUser.isEmpty());
-            dto.rdpPassword(rdpPassword != null && !rdpPassword.isEmpty());
+            dto.rdpUser(rdpUser);
+            dto.rdpPassword(rdpPassword);
         }
         dto.publicKeyList(this.publicKeyList != null ? new ArrayList<>(this.publicKeyList) : new ArrayList<>());
         dto.errorMsg(this.errorMsg);
@@ -175,8 +175,8 @@ public HostSystemDTO toDTO(HostGroup hg) {
         dto.statusCd(this.statusCd);
         if (rdpEnabled) {
             dto.isRdp(true);
-            dto.rdpUser(rdpUser != null && !rdpUser.isEmpty());
-            dto.rdpPassword(rdpPassword != null && !rdpPassword.isEmpty());
+            dto.rdpUser(rdpUser);
+            dto.rdpPassword(rdpPassword);
         }
         dto.publicKeyList(this.publicKeyList != null ? new ArrayList<>(this.publicKeyList) : new ArrayList<>());
         dto.errorMsg(this.errorMsg);
@@ -209,12 +209,11 @@ public static HostSystem fromDTO(HostSystemDTO dto) {
         hostSystem.setErrorMsg(dto.getErrorMsg());
         hostSystem.setPort(dto.getPort());
         hostSystem.setSshUser(dto.getSshUser());
-        if (dto.isRdp()) {
-            hostSystem.setRdpEnabled(dto.isRdp());
-            hostSystem.setRdpUser(dto.isRdpUser() ? dto.getSshUser() : "");
-            hostSystem.setRdpPassword(dto.isRdpPassword() ? dto.getPassword() : "");
+        if (dto.isRdp()){
+            hostSystem.setRdpEnabled(true);
+            hostSystem.setRdpUser(dto.getRdpUser());
+            hostSystem.setRdpPassword(dto.getRdpPassword());
         }
-
         return hostSystem;
     }
 
diff --git a/dataplane/src/main/java/io/sentrius/sso/core/repository/ProfileRepository.java b/dataplane/src/main/java/io/sentrius/sso/core/repository/ProfileRepository.java
index e208c205..fe00eb33 100644
--- a/dataplane/src/main/java/io/sentrius/sso/core/repository/ProfileRepository.java
+++ b/dataplane/src/main/java/io/sentrius/sso/core/repository/ProfileRepository.java
@@ -1,6 +1,7 @@
 package io.sentrius.sso.core.repository;
 
 import java.util.List;
+import java.util.Optional;
 import io.sentrius.sso.core.model.hostgroup.HostGroup;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.stereotype.Repository;
@@ -11,4 +12,8 @@ public interface ProfileRepository extends JpaRepository<HostGroup, Long> {
     HostGroup getById(Long profileId);
 
     List<HostGroup> findAll();
+
+    Optional<HostGroup> findByName(String name);
+
+
 }
diff --git a/dataplane/src/main/java/io/sentrius/sso/core/services/UserService.java b/dataplane/src/main/java/io/sentrius/sso/core/services/UserService.java
index 431bb889..4135636c 100644
--- a/dataplane/src/main/java/io/sentrius/sso/core/services/UserService.java
+++ b/dataplane/src/main/java/io/sentrius/sso/core/services/UserService.java
@@ -160,6 +160,16 @@ public User getOperatingUser(HttpServletRequest request, HttpServletResponse res
                             .build();
                     ProfileDB.save(newHg);
 
+                    Optional<List<String>> assignedGroups = JwtUtil.getGroups(jwt);
+                    if (assignedGroups.isPresent()) {
+                        for(String groupName : assignedGroups.get()) {
+                            Optional<HostGroup> hg = ProfileDB.findByName(groupName);
+                            if (hg.isPresent()) {
+                                operatingUser.getHostGroups().add(hg.get());
+                            }
+                        }
+                    }
+
                     operatingUser.getHostGroups().add(newHg);
                     save(operatingUser);
                 } else {
diff --git a/dataplane/src/main/java/io/sentrius/sso/core/services/security/IntegrationSecurityTokenService.java b/dataplane/src/main/java/io/sentrius/sso/core/services/security/IntegrationSecurityTokenService.java
index 48247c9b..e5c83d34 100644
--- a/dataplane/src/main/java/io/sentrius/sso/core/services/security/IntegrationSecurityTokenService.java
+++ b/dataplane/src/main/java/io/sentrius/sso/core/services/security/IntegrationSecurityTokenService.java
@@ -65,7 +65,6 @@ public void deleteById(Long id) {
     public List<IntegrationSecurityToken> findByConnectionType(String connectionType) {
         return repository.findByConnectionType(connectionType).stream().map(token -> {
             // decrypt the connecting info
-            log.info("IntegrationSecurityTokenService.findByConnectionType: {}", token);
             IntegrationSecurityToken unmanaged = IntegrationSecurityToken.builder()
                 .id(token.getId())
                 .connectionType(token.getConnectionType())
diff --git a/docker/keycloak/realms/sentrius-realm.json.template b/docker/keycloak/realms/sentrius-realm.json.template
index cf31d172..5170b91a 100644
--- a/docker/keycloak/realms/sentrius-realm.json.template
+++ b/docker/keycloak/realms/sentrius-realm.json.template
@@ -373,7 +373,10 @@
       "enabled": true,
       "emailVerified": true,
       "attributes": {
-        "userType": "Full Access"
+        "userType": "Full Access",
+        "assignedGroups": [
+            "testGroup"
+            ]
       },
       "credentials": [
         {
diff --git a/docker/sentrius/demoInstaller.yml b/docker/sentrius/demoInstaller.yml
index e7a0c12e..08e3fe97 100644
--- a/docker/sentrius/demoInstaller.yml
+++ b/docker/sentrius/demoInstaller.yml
@@ -55,9 +55,12 @@ systems:
     authorizedKeys: ~/.ssh/authorized_keys
   - displayName: sentrius-rdp-test
     sshUser: ubuntu
-    password: ubuntu
+    port: 3389
+    host: sentrius-rdp-test
+    authorizedKeys: ~/.ssh/authorized_keys
     rdp: true
-    host: sentrius-rdp
+    rdpUser: ubuntu
+    rdpPassword: ubuntu
 
 ## Define groups of users who are assigned to systems
 ## also entails the configuration that is applied to groupf
diff --git a/ops-scripts/base/build-images.sh b/ops-scripts/base/build-images.sh
index 592b6b3c..4a215b44 100755
--- a/ops-scripts/base/build-images.sh
+++ b/ops-scripts/base/build-images.sh
@@ -22,7 +22,15 @@ cp "$ENV_FILE" "$ENV_FILE.bak"
 
 # --- Minikube Docker context ---
 if [[ "$ENV_TARGET" == "local" ]]; then
-    eval $(minikube -p minikube docker-env)
+    NODE_COUNT=$(minikube -p minikube node list 2>/dev/null | grep -c 'minikube')
+    if [[ "$NODE_COUNT" -eq 1 ]]; then
+        echo "🟢 Single-node Minikube detected — using docker-env"
+        eval $(minikube -p minikube docker-env)
+        USE_MINIKUBE_LOAD=false
+    else
+        echo "🟠 Multi-node Minikube detected — will use 'minikube image load' after builds"
+        USE_MINIKUBE_LOAD=true
+    fi
 fi
 
 
@@ -71,6 +79,12 @@ build_image() {
         docker build "${BUILD_ARGS[@]}" -t "$name:$version" "$context_dir"
     fi
 
+    # Sync image into Minikube if running multi-node
+    if [[ "$ENV_TARGET" == "local" && "$USE_MINIKUBE_LOAD" == true ]]; then
+        echo "📦 Loading $name:$version into Minikube nodes..."
+        minikube image load "$name:$version"
+    fi
+
     if [ $? -ne 0 ]; then
         echo "❌ Failed to build $name"
         cleanup_docker_context "$context_dir"
@@ -129,6 +143,12 @@ build_keycloak_image() {
         exit 1
     fi
 
+    # Sync image into Minikube if running multi-node
+    if [[ "$ENV_TARGET" == "local" && "$USE_MINIKUBE_LOAD" == true ]]; then
+        echo "📦 Loading $name:$version into Minikube nodes..."
+        minikube image load "$name:$version"
+    fi
+
     if [[ "$ENV_TARGET" == "gcp" ]]; then
         REGISTRY="us-central1-docker.pkg.dev/sentrius-project/sentrius-repo"
         docker tag "$name:$version" "$REGISTRY/$name:$version"
diff --git a/ops-scripts/local/deploy-helm.sh b/ops-scripts/local/deploy-helm.sh
index 83173943..7dfdb34f 100755
--- a/ops-scripts/local/deploy-helm.sh
+++ b/ops-scripts/local/deploy-helm.sh
@@ -16,7 +16,7 @@ ENV_TARGET="local"  # default mode
 CERT_DIR="${SCRIPT_DIR}/../../docker/dev-certs"
 # set default to false
 DEPLOY_ADMINER=${DEPLOY_ADMINER:-false}
-ENABLE_RDP_CONTAINER=${ENABLE_RDP_CONTAINER:-false}
+ENABLE_RDP_CONTAINER=${ENABLE_RDP_CONTAINER:-true}
 
 # --- Load and back up environment file ---
 ENV_FILE="${SCRIPT_DIR}/../../.$ENV_TARGET.env"
diff --git a/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/config/SecurityConfig.java b/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/config/SecurityConfig.java
index 78394f74..e9029c08 100644
--- a/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/config/SecurityConfig.java
+++ b/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/config/SecurityConfig.java
@@ -118,6 +118,7 @@ SecurityFilterChain tunnelChain(HttpSecurity http,
                                     JwtDecoder compositeJwtDecoder) throws Exception {
         http
             .securityMatcher("/guacamole/**")
+            .csrf(csrf -> csrf.disable())
             .requestCache(cache -> cache.disable())
             .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
diff --git a/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/security/RdpProxySecurityConfig.java b/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/security/RdpProxySecurityConfig.java
index 162f11e5..f3bb5f40 100644
--- a/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/security/RdpProxySecurityConfig.java
+++ b/rdp-proxy/src/main/java/io/sentrius/sso/rdpproxy/security/RdpProxySecurityConfig.java
@@ -36,6 +36,7 @@ public SecurityFilterChain rdpProxySecurityFilterChain(HttpSecurity http) throws
                 .anyRequest().permitAll())
             .sessionManagement(session -> session
                 .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+            .csrf(csrf -> csrf.disable())
             .cors(cors -> cors.configurationSource(corsConfigurationSource()))
             .build();
     }

From 14b7670c627f0aa3f9ce1f49c112ffd4939184bc Mon Sep 17 00:00:00 2001
From: Marc Parisi <phrocker@apache.org>
Date: Fri, 24 Oct 2025 18:00:40 -0400
Subject: [PATCH 2/2] fix test

---
 .../io/sentrius/sso/startup/ConfigurationApplicationTask.java    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java b/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
index 404959e8..963e0973 100644
--- a/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
+++ b/api/src/main/java/io/sentrius/sso/startup/ConfigurationApplicationTask.java
@@ -527,7 +527,6 @@ protected List<SideEffect> createSystems(InstallConfiguration installConfigurati
                 if ( shouldInsertSystem(systemObj)) {
                     if (action) {
                         var sys = systemRepository.save(systemObj);
-                        log.info("Creating system {}, with id {}", system.getDisplayName(), sys.getId());
                     }
                     sideEffects.add(
                         SideEffect.builder().sideEffectDescription("Creating system " + system.getDisplayName()).type(