Klartax prod issues (#166)

* Increased version to 1.1.16

* Changed cors configuration to set disabled first to prevent cors configuration exceptions

* Updated version to 1.17

* Replaced deprecated PostgreSQL94Dialect with PostgreSQLDialect

* spring.jpa.open-in-view ist standardmäßig aktiviert: behoben

* Excluded SecurityAutoConfiguration to prevent Spring from creating a default user

* Changed SecurityConfiguration to allow access to swagger

* Changed SecurityConfiguration to allow access to swagger

* Excluded AutoConfiguration for UserDetailsService

* Added RequestMatchers to address warnings for ignored paths

* Increased version to 1.19

keycloak-storage-provider/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>de.adorsys.sts</groupId>
         <artifactId>secure-token-service</artifactId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
 
     <artifactId>keycloak-storage-provider</artifactId>

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>de.adorsys.sts</groupId>
     <artifactId>secure-token-service</artifactId>
-    <version>1.1.15</version>
+    <version>1.1.19</version>
     <packaging>pom</packaging>
 
     <name>SecureTokenService</name>

sts-common/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>de.adorsys.sts</groupId>
 		<artifactId>secure-token-service</artifactId>
-		<version>1.1.15</version>
+		<version>1.1.19</version>
 	</parent>
 
 	<artifactId>sts-common</artifactId>

sts-example/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-keymanagement/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-keymanagement/sts-keymanagement-api/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>sts-keymanagement</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-keymanagement/sts-keymanagement-impl/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>sts-keymanagement</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
@@ -14,7 +14,7 @@
         <dependency>
             <groupId>de.adorsys.sts</groupId>
             <artifactId>sts-keymanagement-api</artifactId>
-            <version>1.1.15</version>
+            <version>1.1.19</version>
         </dependency>
         <dependency>
             <groupId>de.adorsys.sts</groupId>

sts-persistence-jpa/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-persistence-jpa/src/main/resources/application-postgres.yml

@@ -1,7 +1,6 @@
 spring:
   liquibase:
     default-schema: sts
-
   flyway:
     locations:
     - classpath:/db/migration/flyway/postgres
@@ -10,4 +9,5 @@ spring:
     url: jdbc:postgresql://localhost:5432/sts
   jpa:
     show-sql: false
-    database-platform: org.hibernate.dialect.PostgreSQL94Dialect
+    database-platform: org.hibernate.dialect.PostgreSQLDialect
+    open-in-view: false

sts-persistence-mongo/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-pop/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-resource-server/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-secret-server/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
 
 

sts-secret-server/src/main/java/de/adorsys/sts/secretserver/SecretServerApplication.java

@@ -1,9 +1,12 @@
 package de.adorsys.sts.secretserver;
 
 import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 
-@SpringBootApplication
+@SpringBootApplication(exclude = {UserDetailsServiceAutoConfiguration.class, SecurityAutoConfiguration.class})
 public class SecretServerApplication {
     public static void main(String[] args) {
         SpringApplication.run(SecretServerApplication.class, args);

sts-secret-server/src/main/java/de/adorsys/sts/secretserver/configuration/CorsProperties.java

@@ -11,6 +11,6 @@ public class CorsProperties {
 
     private boolean disbaled;
     private String[] allowedOrigins;
-    private String allowedHeaders;
+    private String[] allowedHeaders;
     private String[] allowedMethods;
 }

sts-secret-server/src/main/java/de/adorsys/sts/secretserver/configuration/SecurityConfiguration.java

@@ -2,13 +2,11 @@
 
 import de.adorsys.sts.filter.JWTAuthenticationFilter;
 import de.adorsys.sts.token.authentication.TokenAuthenticationService;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@@ -23,32 +21,44 @@
 public class SecurityConfiguration {
 
 
-    @Autowired
-    private CorsProperties corsProperties;
+    private final CorsProperties corsProperties;
+
+    public SecurityConfiguration(CorsProperties corsProperties) {
+        this.corsProperties = corsProperties;
+    }
 
     @Bean
     protected SecurityFilterChain securityFilterChain(HttpSecurity http, TokenAuthenticationService tokenAuthenticationService) throws Exception {
-        // @formatter:off
-        http
-                .cors()
-                    .and()
-                .csrf()
-                    .disable()
-                .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
-                    .and()
-                .authorizeHttpRequests((requests) ->requests.requestMatchers(HttpMethod.GET, "/pop").permitAll()
+        if (corsProperties.isDisbaled()) { // Achten Sie auf die korrekte Schreibweise von isDisabled(), falls es ein
+            // Tippfehler war.
+            http.cors().disable();
+        } else {
+            http.cors().configurationSource(request -> {
+                CorsConfiguration corsConfiguration = new CorsConfiguration();
+                corsConfiguration.setAllowedOrigins(Arrays.asList(corsProperties.getAllowedOrigins()));
+                corsConfiguration.setAllowedMethods(Arrays.asList(corsProperties.getAllowedMethods()));
+                corsConfiguration.setAllowedHeaders(Arrays.asList(corsProperties.getAllowedHeaders()));
+                return corsConfiguration;
+            });
+        }
+
+        http.csrf().disable()
+                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                .and()
+                .authorizeHttpRequests((requests) -> requests
+                        // Erlauben Sie den Zugriff auf Swagger-Dokumentation und UI-Ressourcen
+                        .requestMatchers("/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**").permitAll()
+                        .requestMatchers("/cloudfoundryapplication/**").permitAll()
+                        // Erlauben Sie den Zugriff auf andere spezifische Endpunkte
+                        .requestMatchers(HttpMethod.GET, "/pop").permitAll()
                         .requestMatchers(HttpMethod.GET, "/actuator/**").permitAll()
-                        .anyRequest().authenticated())
+                        // Alle anderen Anfragen erfordern eine Authentifizierung
+                        .anyRequest().authenticated()
+                );
 
-        ;
-        // @formatter:on
+        // Fügt den JWTAuthenticationFilter vor dem UsernamePasswordAuthenticationFilter hinzu
         http.addFilterBefore(new JWTAuthenticationFilter(tokenAuthenticationService), UsernamePasswordAuthenticationFilter.class);
 
-        if (corsProperties.isDisbaled()) {
-            http.cors().disable();
-        }
-
         return http.build();
     }
 
@@ -57,25 +67,12 @@ public CorsFilter corsFilter() {
         CorsConfiguration config = new CorsConfiguration();
         config.setAllowCredentials(true);
         Arrays.stream(corsProperties.getAllowedOrigins()).forEach(config::addAllowedOrigin);
-        config.addAllowedHeader(corsProperties.getAllowedHeaders());
+        Arrays.asList(corsProperties.getAllowedHeaders()).forEach(config::addAllowedHeader);
         Arrays.stream(corsProperties.getAllowedMethods()).forEach(config::addAllowedMethod);
 
         UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
         source.registerCorsConfiguration("/**", config);
 
         return new CorsFilter(source);
     }
-
-
-    @Bean
-    public WebSecurityCustomizer customize() {
-        return (web) -> web.ignoring().requestMatchers(
-                "/v2/api-docs",
-                "/swagger-resources",
-                "/swagger-resources/configuration/ui",
-                "/swagger-resources/configuration/security",
-                "/swagger-ui.html",
-                "/webjars/**"
-        );
-    }
 }

sts-secret-server/src/main/resources/application.yml

@@ -10,13 +10,14 @@ spring:
     password: db_user@123
   jpa:
     show-sql: false
+    open-in-view: false
     properties:
       hibernate:
         default_schema: sts
   flyway:
     enabled: false
     locations:
-    - db/migration/flyway/h2
+      - db/migration/flyway/h2
   liquibase:
     enabled: true
     change-log: classpath:/db/migration/liquibase/changelog.yml
@@ -26,10 +27,11 @@ spring:
       - org.springframework.boot.autoconfigure.mongo.MongoAutoConfiguration
       - org.springframework.boot.autoconfigure.data.mongo.MongoDataAutoConfiguration
 
+#Example values, do not use for production
 cors:
   disabled: false
-  allowedOrigins: "*"
-  allowedHeaders: "*"
+  allowedOrigins: localhost:8080, localhost:8081
+  allowedHeaders: Content-Type,Authorization,Accept,Origin,Referer,User-Agent
   allowedMethods: GET,POST,PUT,DELETE
 
 sts:

sts-secret/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-server-info/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-service-component-example/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-simple-encryption/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-spring/pom.xml

@@ -3,7 +3,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-token-auth/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

sts-token-auth/src/main/java/de/adorsys/sts/tokenauth/AuthServer.java

@@ -95,7 +95,7 @@ protected void onJsonWebKeySetRetrieved(List<JWK> jwks) {
         log.info("Retrieved {} keys from {}", jwks.size(), jwksUrl);
     }
 
-    public static class JsonWebKeyRetrievalException extends RuntimeException {
+    protected static class JsonWebKeyRetrievalException extends RuntimeException {
         public JsonWebKeyRetrievalException(Throwable cause) {
             super(cause);
         }

sts-token/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>secure-token-service</artifactId>
         <groupId>de.adorsys.sts</groupId>
-        <version>1.1.15</version>
+        <version>1.1.19</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>