chore: Remove unauthenticated access to actuator APIs (#26320)

2023-08-14 19:06:31 +05:30 · 2023-08-14 19:06:31 +05:30 · 580eb56579
commit 580eb56579
parent 0496f8fac6
1 changed files with 2 additions and 11 deletions
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
@ -11,10 +11,8 @@ import com.appsmith.server.helpers.RedirectHelper;
 import com.appsmith.server.services.AnalyticsService;
 import com.appsmith.server.services.UserService;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
@ -121,14 +119,12 @@ public class SecurityConfig {

    @Order(Ordered.HIGHEST_PRECEDENCE)
    @Bean
-    @ConditionalOnExpression(value = "'${appsmith.internal.password}'.length() > 0")
    public SecurityWebFilterChain internalWebFilterChain(ServerHttpSecurity http) {
        return http.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/actuator/**"))
                .authorizeExchange(authorizeExchangeSpec ->
                        authorizeExchangeSpec.anyExchange().authenticated())
                .httpBasic(httpBasicSpec -> httpBasicSpec.authenticationManager(authentication -> {
-                    if (isAuthorizedToAccessInternal(
-                            authentication.getCredentials().toString())) {
+                    if (INTERNAL_PASSWORD.equals(authentication.getCredentials().toString())) {
                        return Mono.just(UsernamePasswordAuthenticationToken.authenticated(
                                authentication.getPrincipal(),
                                authentication.getCredentials(),
@ -196,7 +192,7 @@ public class SecurityConfig {
                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, CUSTOM_JS_LIB_URL + "/*/view"),
                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, PRODUCT_ALERT + "/alert"))
                .permitAll()
-                .pathMatchers("/public/**", "/oauth2/**", "/actuator/**")
+                .pathMatchers("/public/**", "/oauth2/**")
                .permitAll()
                .anyExchange()
                .authenticated()
@ -227,11 +223,6 @@ public class SecurityConfig {
                .build();
    }

-    private boolean isAuthorizedToAccessInternal(String password) {
-        // Either configured password is empty, or it's equal to what we received.
-        return StringUtils.isEmpty(INTERNAL_PASSWORD) || INTERNAL_PASSWORD.equals(password);
-    }
-
    /**
     * This bean configures the parameters that need to be set when a Cookie is created for a logged in user
     *