Small improvements (#1848)

* refactor: remove CORS

* improvement: add healthcheck to Docker file

Dockerfile

@@ -33,3 +33,6 @@ ENTRYPOINT [ "java", \
    "--add-opens", "java.base/java.io=ALL-UNNAMED", \
    "-Drunning.in.docker=true", \
    "-jar", "webgoat.jar", "--server.address", "0.0.0.0" ]
+
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD curl --fail http://localhost:8080/WebGoat/actuator/health || exit 1

src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java

@@ -30,7 +30,6 @@
  */
 package org.owasp.webgoat.container;
 
-import java.util.List;
 import lombok.AllArgsConstructor;
 import org.owasp.webgoat.container.users.UserService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -44,9 +43,6 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.cors.CorsConfigurationSource;
-import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 /** Security configuration for WebGoat. */
 @Configuration
@@ -61,7 +57,6 @@ public class WebSecurityConfig {
     return http.authorizeHttpRequests(
             auth ->
                 auth.requestMatchers(
-                        "/",
                         "/favicon.ico",
                         "/css/**",
                         "/images/**",
@@ -69,7 +64,8 @@ public class WebSecurityConfig {
                         "fonts/**",
                         "/plugins/**",
                         "/registration",
-                        "/register.mvc")
+                        "/register.mvc",
+                        "/actuator/**")
                     .permitAll()
                     .anyRequest()
                     .authenticated())
@@ -87,7 +83,6 @@ public class WebSecurityConfig {
               oidc.loginPage("/login");
             })
         .logout(logout -> logout.deleteCookies("JSESSIONID").invalidateHttpSession(true))
-        .cors(cors -> cors.configurationSource(corsConfigurationSource()))
         .csrf(csrf -> csrf.disable())
         .headers(headers -> headers.disable())
         .exceptionHandling(
@@ -96,17 +91,6 @@ public class WebSecurityConfig {
         .build();
   }
 
-  private CorsConfigurationSource corsConfigurationSource() {
-    CorsConfiguration configuration = new CorsConfiguration();
-    configuration.addAllowedOriginPattern(CorsConfiguration.ALL);
-    configuration.setAllowedMethods(List.of(CorsConfiguration.ALL));
-    configuration.setAllowedHeaders(List.of(CorsConfiguration.ALL));
-    configuration.setAllowCredentials(true);
-    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
-    source.registerCorsConfiguration("/**", configuration);
-    return source;
-  }
-
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
     auth.userDetailsService(userDetailsService);