close

Filter

Close X
loading table of contents...

Content Application Developer Manual / Version 2412.0

Table Of Contents

4.3.8 Spring Security

CAE Security Configuration

The CAE security implementations are established using Spring Security.

The configuration classes for the CAE security are located in the package com.coremedia.cae.security. All beans for the CAE security are created by the CaeWebSecurityAutoConfiguration auto configuration. For customizations, each of these beans can be replaced by an equally typed bean in a custom configuration class.

HTTP Web Security

In Spring Security, the main bean to realize the HTTP web security is the org.springframework.security.web.SecurityFilterChain. When the application context is created, it is configured and build using the org.springframework.security.config.annotation.web.builders.HttpSecurity prototype bean. For the CAE, the default configuration is done in the CaeWebSecurityAutoConfiguration auto configuration. To customize the HTTP web security for the CAE in case that the externalized configuration possibilities are not sufficient, extend the com.coremedia.cae.security.CaeHttpSecurityConfigurer, and provide it as a bean.

HTTP Firewall

With Spring-Security an HttpFirewall is configured.

For CoreMedia CAE, the StrictHttpFirewall is configured in CaeWebSecurityAutoConfiguration.html#httpFirewall. It uses the CAE http firewall configuration options to enable selective removal of its default rejections. In the default CAE (without any extensions), none of the default rejections are removed. If a rejection has to be removed for an extension, the regarding cae.http-firewall.allow-* property has to be set to true in the extensions component properties file.

User Authentication

Spring Boot is there to provide a default configuration for user authentication via the UserDetailsServiceAutoConfiguration. These defaults can be overridden by providing custom bean definitions as per default Spring Boot behavior.

The CoreMedia Elastic Social extension for example, provides such custom bean definitions. In case this extension is disabled, the default Spring Boot configuration might warn about non-production ready configurations. Take a look at the Spring Security documentation for configuration options. The solution might be to simply follow one of the following approaches in order to disable the auto-configuration.

  • Provide a NOOP implementation of any ConditionalOnMissingBean bean for the UserDetailsServiceAutoConfiguration such as 

    @Bean
public AuthenticationManager noopAuthenticationManager() {
  return authentication -> {
    throw new UnsupportedOperationException("Authentication not supported.");
  };
}

  • Set to exclude the UserDetailsServiceAutoConfiguration via any of the Spring Boot ways to exclude an auto-configuration described in the official Spring Boot documentation.

  • Set the properties spring.security.user.name and spring.security.user.password as mentioned in the official Spring Boot documentation.

Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.