Small improvements (#1848)

* refactor: remove CORS * improvement: add healthcheck to Docker file
2024-07-23 17:42:56 +02:00 · 2024-07-23 17:42:56 +02:00 · 2b0c22ac68
commit 2b0c22ac68
parent 85103bbcad
2 changed files with 5 additions and 18 deletions
--- a/3
+++ b/3
@ -33,3 +33,6 @@ ENTRYPOINT [ "java", \
   "--add-opens", "java.base/java.io=ALL-UNNAMED", \
   "-Drunning.in.docker=true", \
   "-jar", "webgoat.jar", "--server.address", "0.0.0.0" ]
+
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD curl --fail http://localhost:8080/WebGoat/actuator/health || exit 1
--- a/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
+++ b/src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
@ -30,7 +30,6 @@
 */
 package org.owasp.webgoat.container;

-import java.util.List;
 import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
@ -44,9 +43,6 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

 /** Security configuration for WebGoat. */
@Configuration
@ -61,7 +57,6 @@ public class WebSecurityConfig {
    return http.authorizeHttpRequests(
            auth ->
                auth.requestMatchers(
-                        "/",
                        "/favicon.ico",
                        "/css/**",
                        "/images/**",
@ -69,7 +64,8 @@ public class WebSecurityConfig {
                        "fonts/**",
                        "/plugins/**",
                        "/registration",
-                        "/register.mvc")
+                        "/register.mvc",
+                        "/actuator/**")
                    .permitAll()
                    .anyRequest()
                    .authenticated())
@ -87,7 +83,6 @@ public class WebSecurityConfig {
              oidc.loginPage("/login");
            })
        .logout(logout -> logout.deleteCookies("JSESSIONID").invalidateHttpSession(true))
-        .cors(cors -> cors.configurationSource(corsConfigurationSource()))
        .csrf(csrf -> csrf.disable())
        .headers(headers -> headers.disable())
        .exceptionHandling(
@ -96,17 +91,6 @@ public class WebSecurityConfig {
        .build();
  }

-  private CorsConfigurationSource corsConfigurationSource() {
-    CorsConfiguration configuration = new CorsConfiguration();
-    configuration.addAllowedOriginPattern(CorsConfiguration.ALL);
-    configuration.setAllowedMethods(List.of(CorsConfiguration.ALL));
-    configuration.setAllowedHeaders(List.of(CorsConfiguration.ALL));
-    configuration.setAllowCredentials(true);
-    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-    source.registerCorsConfiguration("/**", configuration);
-    return source;
-  }
-
  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService);