CODEWITHSUNDEEP
javaspringspring-bootencryptionspring-cloud-config
Khwaja Sanjari
Khwaja Sanjari

Reputation: 465

Spring Cloud config server disable encryption and decryption endpoint

I am trying to disable encrypt and decrypt end points in spring cloud config server. My Bootstrap.yml file is

spring:
  cloud:
    config:
      server:
        encrypt:
          enabled: false

encrypt:
  keyStore:
    location: ####
    password: ####
    alias: ####
    secret: ###

I tried this properties file with different verions of spring cloud and spring boot Tried spring boot version 1.5.8.RELEASE and springCloudVersion = 'Dalston.SR4'

also tried

springBootVersion = '2.0.5.RELEASE' and springCloudVersion = 'Finchley.SR1'

but still I encryption and decryption endpoints are working.

Upvotes: 1

Views: 2214

Answers (1)

Debopam
Debopam

Reputation: 3356

Use Spring Security to block this URI, with this configuration endpoint URLs are not publicly available.

package com.debopam.configserver;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

/**
 * @author Debopam
 *
 */
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
        .withUser("configUser").password("configPassword").roles("SYSTEM")
            .and()
        .withUser("admin").password("admin").roles("SUPERUSER","ADMIN")
            .and()
        .withUser("actuator").password("actuator").roles("ACTUATOR");;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/encrypt**").hasAnyRole("SUPERUSER","ADMIN")
            .antMatchers("/decrypt**").hasAnyRole("SUPERUSER","ADMIN")
            .anyRequest().hasRole("SYSTEM").and().httpBasic().and().csrf().disable();


    }
}

Upvotes: 4

Related Questions