search

Talent-Catalog / talentcatalog

https://tctalent.org
GNU Affero General Public License v3.0
11 stars 4 forks source link

Update versions of backend (Spring/Java) libraries #881

Open camerojo opened 5 months ago

camerojo commented 5 months ago

See also #352

ajt001 commented 4 months ago

Spring versions id("org.springframework.boot") version "3.2.5" id("io.spring.dependency-management") version "1.1.0"

Spring 3 URL Matching. Error: org.springframework.web.util.pattern.PatternParseException: No more pattern data allowed after {*...} or ** pattern element

It is related to AntMatcher being replaced by PathPattern. I need to test out removing * and replacing with . It may be resolved by this, which I need to test out: docs

// .requestMatchers(HttpMethod.GET, "/api/admin/saved-search/*/load")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED", "READONLY")

// // POST: EXPORT SAVE SELECTION SAVED SEARCHES
// .requestMatchers(HttpMethod.POST,
// "/api/admin/saved-search-candidate/*/export/csv")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED", "READONLY")
//
// /*
// * SEARCH ENDPOINTS
// */
// // POST: ALL SEARCHES
// .requestMatchers(HttpMethod.POST, "/api/admin/**/search")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED", "READONLY")
//
// // POST: ALL PAGED SEARCHES
// .requestMatchers(HttpMethod.POST, "/api/admin/**/search-paged")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED", "READONLY")

// .requestMatchers(HttpMethod.PUT, "/api/admin/saved-list-candidate/*/merge")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED", "READONLY")            

// PUT: REMOVE CANDIDATE FROM LIST
// .requestMatchers(HttpMethod.PUT, "/api/admin/saved-list-candidate/*/remove")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED", "READONLY")  

// /*
// * CANDIDATE INTAKE ENDPOINTS
// */
// // GET (EXC. READ ONLY)
// .requestMatchers(HttpMethod.GET, "/api/admin/candidate/*/intake")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED",
// "READONLY")
//
// // PUT (EXC. READ ONLY)
// .requestMatchers(HttpMethod.PUT, "/api/admin/candidate/*/intake")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED")
//
// /*
// * JOB INTAKE ENDPOINTS
// */
// // GET (EXC. READ ONLY)
// .requestMatchers(HttpMethod.GET, "/api/admin/job/*/intake")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED",
// "READONLY")
//
// // PUT (EXC. READ ONLY)
// .requestMatchers(HttpMethod.PUT, "/api/admin/job/*/intake")
// .hasAnyRole("SYSTEMADMIN", "ADMIN", "PARTNERADMIN", "SEMILIMITED", "LIMITED")

CSRF docs

.csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())) // .csrf(CsrfConfigurer::disable)

ajt001 commented 4 months ago

Might have got past the csrf 403 and now getting a 401 @sadatmalik 

Using generated security password: 4b9a663f-a220-42e9-b110-1f73968357cf

This generated password is for development use only. Your security configuration must be updated before running your application in production.

2024-04-30T20:06:07.710+10:00  INFO 18292 --- [           main] o.s.b.t.m.w.SpringBootMockServletContext : Initializing Spring TestDispatcherServlet ''
2024-04-30T20:06:07.710+10:00  INFO 18292 --- [           main] o.s.t.web.servlet.TestDispatcherServlet  : Initializing Servlet ''
2024-04-30T20:06:07.711+10:00  INFO 18292 --- [           main] o.s.t.web.servlet.TestDispatcherServlet  : Completed initialization in 1 ms
2024-04-30T20:06:07.764+10:00  INFO 18292 --- [           main] o.t.server.api.admin.AuthAdminApiTest    : Started AuthAdminApiTest in 1.87 seconds (process running for 2.861)
2024-04-30T20:06:07.826+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@31e84f10, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@c4455b4, org.springframework.security.web.context.SecurityContextHolderFilter@7d4e424e, org.springframework.security.web.header.HeaderWriterFilter@16024b49, org.springframework.web.filter.CorsFilter@747f0f34, org.springframework.security.web.csrf.CsrfFilter@32068aef, org.springframework.security.web.authentication.logout.LogoutFilter@aade5a2, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@684430c1, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@1a53ac0c, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@556ae220, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@74f92d14, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@60251ddb, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2059c3ff, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2689b752, org.springframework.security.web.access.ExceptionTranslationFilter@52463255, org.springframework.security.web.access.intercept.AuthorizationFilter@70a24463]] (1/1)
2024-04-30T20:06:07.827+10:00 DEBUG 18292 --- [           main] o.s.security.web.FilterChainProxy        : Securing POST /api/admin/auth/login
2024-04-30T20:06:07.827+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/16)
2024-04-30T20:06:07.827+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/16)
2024-04-30T20:06:07.828+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/16)
2024-04-30T20:06:07.828+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/16)
2024-04-30T20:06:07.829+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking CorsFilter (5/16)
2024-04-30T20:06:07.829+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (6/16)
2024-04-30T20:06:07.829+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (7/16)
2024-04-30T20:06:07.829+10:00 TRACE 18292 --- [           main] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2024-04-30T20:06:07.829+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking UsernamePasswordAuthenticationFilter (8/16)
2024-04-30T20:06:07.829+10:00 TRACE 18292 --- [           main] w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='/login', POST]
2024-04-30T20:06:07.829+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking DefaultLoginPageGeneratingFilter (9/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking DefaultLogoutPageGeneratingFilter (10/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] .w.a.u.DefaultLogoutPageGeneratingFilter : Did not render default logout page since request did not match [Ant [pattern='/logout', GET]]
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking BasicAuthenticationFilter (11/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.s.w.a.www.BasicAuthenticationFilter  : Did not process authentication request since failed to find username and password in Basic Authorization header
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (12/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.s.w.s.HttpSessionRequestCache        : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (13/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (14/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (15/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] o.s.security.web.FilterChainProxy        : Invoking AuthorizationFilter (16/16)
2024-04-30T20:06:07.830+10:00 TRACE 18292 --- [           main] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@7156f8cf]
2024-04-30T20:06:07.831+10:00 TRACE 18292 --- [           main] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@7156f8cf] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@5e7ea81b
2024-04-30T20:06:07.831+10:00 TRACE 18292 --- [           main] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2024-04-30T20:06:07.831+10:00 TRACE 18292 --- [           main] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-04-30T20:06:07.831+10:00 TRACE 18292 --- [           main] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-04-30T20:06:07.831+10:00 TRACE 18292 --- [           main] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2024-04-30T20:06:07.831+10:00 TRACE 18292 --- [           main] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access Denied
    at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.2.4.jar:6.2.4]
ajt001 commented 4 months ago

Done in other stories, so closing this out.