NFC-47 Review findings. Use PathPatternRequestMatcher. Remove POST request if statement. Remove doFilter method. Fix request matchers. Inline filterchain. Remove welcome page from permit all.

Author: SanderKondratjevNortal

example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java

@@ -45,22 +45,19 @@
 public class ApplicationConfiguration implements WebMvcConfigurer {
 
     @Bean
-    SecurityFilterChain filterChain(
-        HttpSecurity http,
-        AuthTokenDTOAuthenticationProvider provider,
-        AuthenticationConfiguration authConfig) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig) throws Exception {
 
         var filter = new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager());
 
         return http
             .csrf(csrf -> csrf.ignoringRequestMatchers("/auth/login"))
             .authorizeHttpRequests(auth -> auth
-                .requestMatchers("/", "/welcome", "/error").permitAll()
+                .requestMatchers("/", "/error").permitAll()
                 .requestMatchers("/auth/challenge", "/auth/mobile/challenge").permitAll()
                 .requestMatchers(HttpMethod.GET, "/auth/eid/login").permitAll()
                 .requestMatchers(
                     "/favicon.ico",
-                    "/css/**", "/js/**", "/images/**", "/webjars/**"
+                    "/css/", "/files/", "/img/", "/js/"
                 ).permitAll()
                 .anyRequest().authenticated()
             )

example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java

@@ -46,6 +46,7 @@
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 
 import java.io.IOException;
 
@@ -58,7 +59,7 @@ public WebEidAjaxLoginProcessingFilter(
             String defaultFilterProcessesUrl,
             AuthenticationManager authenticationManager
     ) {
-        super(defaultFilterProcessesUrl);
+        super(PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, defaultFilterProcessesUrl));
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
@@ -69,10 +70,6 @@ public WebEidAjaxLoginProcessingFilter(
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
             throws AuthenticationException, IOException {
-        if (!HttpMethod.POST.name().equals(request.getMethod())) {
-            LOG.warn("HttpMethod not supported: {}", request.getMethod());
-            throw new AuthenticationServiceException("HttpMethod not supported: " + request.getMethod());
-        }
         final String contentType = request.getHeader("Content-type");
         if (contentType == null || !contentType.startsWith("application/json")) {
             LOG.warn("Content type not supported: {}", contentType);
@@ -92,18 +89,4 @@ protected void successfulAuthentication(HttpServletRequest request, HttpServletR
         super.successfulAuthentication(request, response, chain, authResult);
         securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
     }
-
-    @Override
-    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
-        throws IOException, ServletException {
-
-        HttpServletRequest request = (HttpServletRequest) req;
-
-        if (!HttpMethod.POST.matches(request.getMethod())) {
-            chain.doFilter(req, res);
-            return;
-        }
-
-        super.doFilter(req, res, chain);
-    }
 }