Skip to content

fix(security): deny unauthenticated access by default#326

Open
Isaries wants to merge 2 commits into
WISE-Community:developfrom
Isaries:fix/default-deny-authorization
Open

fix(security): deny unauthenticated access by default#326
Isaries wants to merge 2 commits into
WISE-Community:developfrom
Isaries:fix/default-deny-authorization

Conversation

@Isaries

@Isaries Isaries commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

The security configuration had no default-deny rule, so any request that did not match a specific rule was permitted. Endpoints were therefore exposed unless someone remembered to restrict them explicitly. This denies unmatched requests by default and adds an explicit allowlist of the endpoints that must stay public.

Changes

  • Add anyRequest().authenticated() as the final rule, with an allowlist of the genuinely public endpoints: sign-in and its OAuth callbacks, account registration, account and password recovery, the contact form, the public home, news, library and preview content, and the application bootstrap configuration.
  • Permit the static asset paths served by the resource handlers (portal scripts, themes and translations, the runtime engine, project files and project icons). Student uploaded files are intentionally left requiring authentication.

Why this is a draft

This changes runtime access for every path that does not match an explicit rule, so it needs verification on a running instance before merging:

  • Confirm every anonymous flow still works: sign-in, student and teacher registration, account and password recovery, the public home, library and community listings, and project preview.
  • Confirm no legitimate endpoint was missed from the allowlist.
  • Confirm the static asset paths load for signed-out visitors (this depends on whether they are served by the app or by a fronting web server in a given deployment).

Testing

  • Builds on JDK 17 (mvnw package).

Isaries added 2 commits July 11, 2026 23:23
The authorization chain listed specific paths and ended without a final
rule, so any request matching none of the rules was permitted. Most /api
endpoints matched no rule and relied entirely on method-level annotations,
so any endpoint missing an annotation was reachable without authentication.

Add an explicit allow list for the endpoints that must remain public
(sign-in and its OAuth callbacks, registration, account and password
recovery, the contact form, the public home, news, library and preview
content, and the bootstrap configuration) and require authentication for
every other request, so a missing method annotation fails closed.
Denying unmatched requests by default also caught the static asset paths
served by the resource handlers configured in WebConfig (portal scripts,
themes and translations, the runtime engine, project files and project
icons). Those are public content that the login page and the anonymous
project preview need, so blocking them would break sign-in and preview
for signed-out visitors. Permit those paths explicitly. Student uploaded
files are intentionally left requiring authentication.
@Isaries
Isaries force-pushed the fix/default-deny-authorization branch from 7b07285 to 2c1ac6d Compare July 11, 2026 15:40
@Isaries
Isaries marked this pull request as ready for review July 11, 2026 15:43
@Isaries

Isaries commented Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

This is the default-deny follow-up from the #322 discussion (the missing terminal rule). Rebased onto develop now that #322 is merged, so it sits on top of the mvcMatchers admin rules rather than the old block.

It adds .anyRequest().authenticated() so an unmatched path is denied instead of silently permitted, plus an explicit permitAll whitelist for the endpoints that must stay reachable without signing in (sign-in and its OAuth callbacks, registration, account and password recovery, contact, the public home, news, library and preview content, the bootstrap config, and the framework error dispatch and favicon), plus the static resource handlers from WebConfig. Student uploads are deliberately left out so they keep requiring authentication.

I audited the public surface against the front-end to build the whitelist. One endpoint needed adding beyond the obvious set: GET /api/project/info/*. The anonymous contact page calls it when reached as /contact?projectId=... and it had no auth guard before, so deny-by-default would have broken that flow.

Two paths that were reachable under permit-by-default become login-only here, and I left them that way on purpose since neither looks intended to be public: /pages/statistics.html (a legacy JSP with no front-end reference) and the WISE4 /api/vleconfig preview path. Happy to permit either if you know they are used.

Authorization test coverage for this boundary is in #331, since it stands on its own and also guards the #322 rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant