fix security configuration

allegro · Sep 6, 2023 · 213d4ee · 213d4ee
1 parent 4962e16
commit 213d4ee
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/...ner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/chaos/api/ChaosController.kt b/...ner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/chaos/api/ChaosController.kt
@@ -3,15 +3,13 @@ package pl.allegro.tech.servicemesh.envoycontrol.chaos.api
 import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
-import org.springframework.http.HttpMethod
 import org.springframework.http.HttpStatus
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetails
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
 import org.springframework.security.web.SecurityFilterChain
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher
 import org.springframework.web.bind.annotation.DeleteMapping
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.PathVariable
@@ -67,8 +65,8 @@ class ChaosController(val chaosService: ChaosService) {
             http {
                 httpBasic { }
                 authorizeHttpRequests {
-                    authorize(AntPathRequestMatcher("/chaos/fault/**", HttpMethod.POST.name()), hasRole("CHAOS"))
-                    authorize(anyRequest, permitAll) // todo: ???
+                    authorize("/chaos/fault/**", hasRole("CHAOS"))
+                    authorize("/actuator/health", permitAll)
                 }
                 csrf { disable() }
                 formLogin { disable() }