File History: src/main/java/com/paymentlink/config/SecurityConfig.java

File Content at Commit f0438c2

      
      package com.paymentlink.config;
    
      import org.springframework.context.annotation.Bean;
    
      import org.springframework.context.annotation.Configuration;
    
      import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    
      import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    
      import org.springframework.security.web.SecurityFilterChain;
    
      import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
    
      import org.springframework.security.web.csrf.CsrfToken;
    
      import org.springframework.security.web.firewall.HttpFirewall;
    
      import org.springframework.security.web.firewall.StrictHttpFirewall;
    
      import org.springframework.web.cors.CorsConfiguration;
    
      import org.springframework.web.cors.CorsConfigurationSource;
    
      import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
    
      import jakarta.servlet.http.HttpServletRequest;
    
      import jakarta.servlet.http.HttpServletResponse;
    
      import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
    
      import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
    
      import java.util.Arrays;
    
      import java.util.function.Supplier;
    
      @Configuration
    
      @EnableWebSecurity
    
      public class SecurityConfig {
    
          @Bean
    
          public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    
              http
    
                  // Disable authentication - we want permitAll
    
                  .authorizeHttpRequests(auth -> auth
    
                      .anyRequest().permitAll()
    
                  )
    
                  // Disable CSRF for easier testing (re-enable in production)
    
                  .csrf(csrf -> csrf.disable())
    
                  // CORS Configuration
    
                  .cors(cors -> cors.configurationSource(corsConfigurationSource()));
    
              return http.build();
    
          }
    
          /**
    
           * Custom CSRF token request handler for SPA
    
           */
    
          static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
    
              private final CsrfTokenRequestHandler delegate = new XorCsrfTokenRequestAttributeHandler();
    
              @Override
    
              public void handle(HttpServletRequest request, HttpServletResponse response,
    
                                Supplier<CsrfToken> csrfToken) {
    
                  delegate.handle(request, response, csrfToken);
    
              }
    
              @Override
    
              public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
    
                  String headerValue = request.getHeader(csrfToken.getHeaderName());
    
                  return (headerValue != null) ? headerValue : delegate.resolveCsrfTokenValue(request, csrfToken);
    
              }
    
          }
    
          /**
    
           * CORS Configuration
    
           */
    
          @Bean
    
          public CorsConfigurationSource corsConfigurationSource() {
    
              CorsConfiguration configuration = new CorsConfiguration();
    
              configuration.setAllowedOrigins(Arrays.asList("*"));
    
              configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
    
              configuration.setAllowedHeaders(Arrays.asList("*"));
    
              configuration.setAllowCredentials(false);
    
              UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    
              source.registerCorsConfiguration("/**", configuration);
    
              return source;
    
          }
    
          /**
    
           * Custom HTTP Firewall to allow WebDAV methods (PROPFIND, etc.)
    
           * This prevents RequestRejectedException logs from IDEs like WebStorm
    
           */
    
          @Bean
    
          public HttpFirewall allowWebDavHttpFirewall() {
    
              StrictHttpFirewall firewall = new StrictHttpFirewall();
    
              // Allow standard HTTP methods plus WebDAV methods
    
              firewall.setAllowedHttpMethods(Arrays.asList(
    
                  "GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD",
    
                  // WebDAV methods used by IDEs
    
                  "PROPFIND", "PROPPATCH", "REPORT", "LOCK", "UNLOCK",
    
                  "COPY", "MOVE", "MKCOL"
    
              ));
    
              return firewall;
    
          }
    
      }

Commits

Commit	Author	Date	Message	File SHA	Actions
`f0438c2`	<f69e50@finnacloud.com> 1766443042 +0300	12/22/2025, 10:37:22 PM	increment once more	`06759b4`	Hide
`188fc92`	<f69e50@finnacloud.com> 1766442998 +0300	12/22/2025, 10:36:38 PM	increment	`06759b4`	View
`4617f76`	<f69e50@finnacloud.com> 1766442953 +0300	12/22/2025, 10:35:53 PM	rename branch from main to master oops	`06759b4`	View
`e6d1548`	<f69e50@finnacloud.com> 1766442769 +0300	12/22/2025, 10:32:49 PM	add initial test workflow file	`06759b4`	View
`9c24ca4`	<f69e50@finnacloud.com> 1766442705 +0300	12/22/2025, 10:31:45 PM	add CI configuration and test script for Jenkins build	`06759b4`	View
`690c1f6`	<f69e50@finnacloud.com> 1766368110 +0300	12/22/2025, 1:48:30 AM	initialize backend structure with controllers, DTOs, and configuration files	`06759b4`	View

1	package com.paymentlink.config;
2
3	import org.springframework.context.annotation.Bean;
4	import org.springframework.context.annotation.Configuration;
5	import org.springframework.security.config.annotation.web.builders.HttpSecurity;
6	import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
7	import org.springframework.security.web.SecurityFilterChain;
8	import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
9	import org.springframework.security.web.csrf.CsrfToken;
10	import org.springframework.security.web.firewall.HttpFirewall;
11	import org.springframework.security.web.firewall.StrictHttpFirewall;
12	import org.springframework.web.cors.CorsConfiguration;
13	import org.springframework.web.cors.CorsConfigurationSource;
14	import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
15
16	import jakarta.servlet.http.HttpServletRequest;
17	import jakarta.servlet.http.HttpServletResponse;
18	import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
19	import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
20
21	import java.util.Arrays;
22	import java.util.function.Supplier;
23
24	@Configuration
25	@EnableWebSecurity
26	public class SecurityConfig {
27
28	@Bean
29	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
30	http
31	// Disable authentication - we want permitAll
32	.authorizeHttpRequests(auth -> auth
33	.anyRequest().permitAll()
34	)
35	// Disable CSRF for easier testing (re-enable in production)
36	.csrf(csrf -> csrf.disable())
37	// CORS Configuration
38	.cors(cors -> cors.configurationSource(corsConfigurationSource()));
39
40	return http.build();
41	}
42
43	/**
44	* Custom CSRF token request handler for SPA
45	*/
46	static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
47	private final CsrfTokenRequestHandler delegate = new XorCsrfTokenRequestAttributeHandler();
48
49	@Override
50	public void handle(HttpServletRequest request, HttpServletResponse response,
51	Supplier<CsrfToken> csrfToken) {
52	delegate.handle(request, response, csrfToken);
53	}
54
55	@Override
56	public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
57	String headerValue = request.getHeader(csrfToken.getHeaderName());
58	return (headerValue != null) ? headerValue : delegate.resolveCsrfTokenValue(request, csrfToken);
59	}
60	}
61
62	/**
63	* CORS Configuration
64	*/
65	@Bean
66	public CorsConfigurationSource corsConfigurationSource() {
67	CorsConfiguration configuration = new CorsConfiguration();
68	configuration.setAllowedOrigins(Arrays.asList("*"));
69	configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS"));
70	configuration.setAllowedHeaders(Arrays.asList("*"));
71	configuration.setAllowCredentials(false);
72
73	UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
74	source.registerCorsConfiguration("/**", configuration);
75	return source;
76	}
77
78	/**
79	* Custom HTTP Firewall to allow WebDAV methods (PROPFIND, etc.)
80	* This prevents RequestRejectedException logs from IDEs like WebStorm
81	*/
82	@Bean
83	public HttpFirewall allowWebDavHttpFirewall() {
84	StrictHttpFirewall firewall = new StrictHttpFirewall();
85
86	// Allow standard HTTP methods plus WebDAV methods
87	firewall.setAllowedHttpMethods(Arrays.asList(
88	"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD",
89	// WebDAV methods used by IDEs
90	"PROPFIND", "PROPPATCH", "REPORT", "LOCK", "UNLOCK",
91	"COPY", "MOVE", "MKCOL"
92	));
93
94	return firewall;
95	}
96	}
97
98

backend

File History: src/main/java/com/paymentlink/config/SecurityConfig.java

File Content at Commit f0438c2

Commits