I am trying to disable the /decrypt endpoint in Spring cloud config server so that anyone with access to /decrypt endpoint wont be able to decrypt

Question

with /decrypt endpoint availble for anyone with access I feel the encryption is not secure and its compramised

Is there any way we can disable the decrypt endpoint?

url: http://localhost:23000/encrypt body: hello response: 8c27f45094636aee57e2e132f

with decrypt enabled we can get back the password

url: http://localhost:23000/encrypt body: 8c27f45094636aee57e2e132f response: hello

score 1 · Answer 1 · answered Oct 06 '22 at 23:33

Add the Spring Security starter to your pom.xml file:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-security</artifactId>
</dependency>

With Spring Security on the classpath, all endpoints require authorization by default. Configure Spring Security to deny access to the /decrypt endpoint while allowing unauthenticated access to configuration data:

@Configuration(proxyBeanMethods = false)
public class SecurityConfiguration {

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeRequests(requests ->
        requests
            .mvcMatchers("/decrypt").denyAll()
            .anyRequest().permitAll());
    return http.build();
  }
}

I am trying to disable the /decrypt endpoint in Spring cloud config server so that anyone with access to /decrypt endpoint wont be able to decrypt

1 Answers1