Charan257
Reputation: 11
I am trying to disable the /decrypt endpoint in Spring cloud config server so that anyone with access to /decrypt endpoint wont be able to decrypt
with /decrypt endpoint availble for anyone with access I feel the encryption is not secure and its compramised
Is there any way we can disable the decrypt endpoint?
url: http://localhost:23000/encrypt body: hello response: 8c27f45094636aee57e2e132f
with decrypt enabled we can get back the password
url: http://localhost:23000/encrypt body: 8c27f45094636aee57e2e132f response: hello
Upvotes: 1
Views: 486
Answers (1)
Chin Huang
Reputation: 13830
Add the Spring Security starter to your pom.xml file:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
With Spring Security on the classpath, all endpoints require authorization by default. Configure Spring Security to deny access to the /decrypt endpoint while allowing unauthenticated access to configuration data:
@Configuration(proxyBeanMethods = false)
public class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeRequests(requests ->
requests
.mvcMatchers("/decrypt").denyAll()
.anyRequest().permitAll());
return http.build();
}
}
Upvotes: 1
Related Questions
- spring config server encrypt forbidden
- Disable spring-cloud-aws-secrets-manager-config module for some Spring profile
- How can I disable authentication for a specific endpoint?
- Spring Cloud config server disable encryption and decryption endpoint
- Failed to disable decryption server side in spring cloud config server
- Spring cloud config server not decrypting value
- Spring Cloud Config Server - Where to set encrypt.key to enable /encrypt endpoint
- Encryption in Spring Cloud Config
- Disable Spring Cloud Server Config using profile?
- Custom Encryption/Decryption for Spring-Cloud-Config Server