Skip to content

fix(security): deny unauthenticated access by default#326

Draft
Isaries wants to merge 2 commits into
WISE-Community:developfrom
Isaries:fix/default-deny-authorization
Draft

fix(security): deny unauthenticated access by default#326
Isaries wants to merge 2 commits into
WISE-Community:developfrom
Isaries:fix/default-deny-authorization

Conversation

@Isaries

@Isaries Isaries commented Jul 6, 2026

Copy link
Copy Markdown

Summary

The security configuration had no default-deny rule, so any request that did not match a specific rule was permitted. Endpoints were therefore exposed unless someone remembered to restrict them explicitly. This denies unmatched requests by default and adds an explicit allowlist of the endpoints that must stay public.

Changes

  • Add anyRequest().authenticated() as the final rule, with an allowlist of the genuinely public endpoints: sign-in and its OAuth callbacks, account registration, account and password recovery, the contact form, the public home, news, library and preview content, and the application bootstrap configuration.
  • Permit the static asset paths served by the resource handlers (portal scripts, themes and translations, the runtime engine, project files and project icons). Student uploaded files are intentionally left requiring authentication.

Why this is a draft

This changes runtime access for every path that does not match an explicit rule, so it needs verification on a running instance before merging:

  • Confirm every anonymous flow still works: sign-in, student and teacher registration, account and password recovery, the public home, library and community listings, and project preview.
  • Confirm no legitimate endpoint was missed from the allowlist.
  • Confirm the static asset paths load for signed-out visitors (this depends on whether they are served by the app or by a fronting web server in a given deployment).

Testing

  • Builds on JDK 17 (mvnw package).

Isaries added 2 commits July 6, 2026 22:04
The authorization chain listed specific paths and ended without a final
rule, so any request matching none of the rules was permitted. Most /api
endpoints matched no rule and relied entirely on method-level annotations,
so any endpoint missing an annotation was reachable without authentication.

Add an explicit allow list for the endpoints that must remain public
(sign-in and its OAuth callbacks, registration, account and password
recovery, the contact form, the public home, news, library and preview
content, and the bootstrap configuration) and require authentication for
every other request, so a missing method annotation fails closed.
Denying unmatched requests by default also caught the static asset paths
served by the resource handlers configured in WebConfig (portal scripts,
themes and translations, the runtime engine, project files and project
icons). Those are public content that the login page and the anonymous
project preview need, so blocking them would break sign-in and preview
for signed-out visitors. Permit those paths explicitly. Student uploaded
files are intentionally left requiring authentication.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant