Closed mraible closed 1 year ago
I have tried adding the ignored pattern to normal security config with permitall. It works well, except some inteference with the default x frame option deny (e.g. swagger api spec or h2 console). We might set it to same-origin or keep it with deny and use the csp frame-ancestor with self.
Not sure to be honest whats the best way. The csp is supported my all all major browser we officially support.
I also noticed the same issue, and I believe the out-of-box x-frame-options
default with SAMEORIGIN
should suffice for monolithic applications. In the case of micro-services, it may not work as the origin will change (registry
, control-centre
) and thus require more control with frame-ancestor
and that seems not well supported in the Firefox.
At least with frame-ancestor self I didn't notice any issues with firefox. But I like your proposal to differentiate between monolith and microservice. Will see to provide a PR for that
Reactive implementation seems no different and uses pattern exclusion to bypass security. We need to be consistent in our strategy and align both tracks to use the same approach.
Will align both implementations of course :)
Just for future reference, moving ignore pattern to permitAll
has some performance impact as mentioned here and it will be fixed by https://github.com/spring-projects/spring-security/issues/10913
@mshima I guess this is done now (via https://github.com/jhipster/generator-jhipster/pull/19184 and https://github.com/jhipster/generator-jhipster/pull/19205)? If so let's close this and please claim the bounty.
@atomfrede new need to check if reactive implementation matches imperative.
@DanielFran bug bounty claimed https://opencollective.com/generator-jhipster/expenses/172339
@mshima approved
*Overview of the issue
I created a new app with the
main
branch using the following.yo-rc.json
:On startup, it gives me a warning about the Spring Security configuration:
If I change the
.yo-rc.json
to have `"reactive": true and disable caching:There are no warnings from Spring Security. There is this warning though:
Motivation for or Use Case
Security-related issues shouldn't be ignored.
Reproduce the error
Create a new app with the
main
branch using the.yo-rc.json
from above.Related issues
https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter