diff --git a/.gcp.env b/.gcp.env index 920b01fd..3e140b1e 100644 --- a/.gcp.env +++ b/.gcp.env @@ -1,4 +1,4 @@ -SENTRIUS_VERSION=1.0.15 +SENTRIUS_VERSION=1.0.17 SENTRIUS_SSH_VERSION=1.0.2 SENTRIUS_KEYCLOAK_VERSION=1.0.4 SENTRIUS_AGENT_VERSION=1.0.11 \ No newline at end of file diff --git a/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java b/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java index fe6591c9..ba6698ee 100644 --- a/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java +++ b/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java @@ -12,6 +12,7 @@ import io.sentrius.sso.core.services.UserService; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -38,6 +39,9 @@ public class SecurityConfig { private final CustomAuthenticationSuccessHandler successHandler; final UserService userService; + @Value("${https.required:false}") // Default is false + private boolean httpsRequired; + @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { @@ -54,6 +58,13 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti ) .cors(Customizer.withDefaults()); + if (httpsRequired) { + http.requiresChannel(channel -> channel + .requestMatchers("/actuator/**").requiresInsecure() // Allow HTTP for Actuator + .anyRequest().requiresSecure() // Force HTTPS for all other requests + ); + } + return http.build(); } diff --git a/api/src/main/resources/application.properties b/api/src/main/resources/application.properties index b90ec691..c8149bb5 100644 --- a/api/src/main/resources/application.properties +++ b/api/src/main/resources/application.properties @@ -75,4 +75,5 @@ spring.security.oauth2.resourceserver.jwt.issuer-uri=http://192.168.1.162:8180/r spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius management.endpoints.web.exposure.include=health -management.endpoint.health.show-details=always \ No newline at end of file +management.endpoint.health.show-details=always +https.required=false \ No newline at end of file diff --git a/sentrius-chart/values.yaml b/sentrius-chart/values.yaml index 1447bda5..6608fff4 100644 --- a/sentrius-chart/values.yaml +++ b/sentrius-chart/values.yaml @@ -65,6 +65,7 @@ sentrius: spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email spring.security.oauth2.resourceserver.jwt.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius spring.security.oauth2.client.provider.keycloak.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius + https.required=false dynamic: | auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor twopartyapproval.option.LOCKING_SYSTEMS=true diff --git a/sentrius-gcp-chart/templates/configmap.yaml b/sentrius-gcp-chart/templates/configmap.yaml index 5914a85b..795746f8 100644 --- a/sentrius-gcp-chart/templates/configmap.yaml +++ b/sentrius-gcp-chart/templates/configmap.yaml @@ -106,8 +106,9 @@ data: spring.security.oauth2.client.registration.keycloak.scope={{ .Values.sentrius.oauth2.scope }} spring.security.oauth2.resourceserver.jwt.issuer-uri=https://keycloak.{{ .Values.subdomain }}/realms/sentrius spring.security.oauth2.client.provider.keycloak.issuer-uri=https://keycloak.{{ .Values.tenant }}.sentrius.cloud/realms/sentrius - server.forward-headers-strategy=native + server.forward-headers-strategy=framework https.redirect.enabled=true + https.required=true dynamic.properties: | auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor twopartyapproval.option.LOCKING_SYSTEMS=true