From e16535defd11bf3c8551209cfbfe801dea9ae897 Mon Sep 17 00:00:00 2001 From: netroms Date: Thu, 26 Oct 2023 21:56:38 +0800 Subject: [PATCH] fix: custom CSS is shown on unauthenticated pages (#15110) (#15496) (cherry picked from commit 2078920c807fdd9ec0d199839f30aead1aa20578) --- .../config/DhisWebApiWebSecurityConfig.java | 14 ++++++++++++-- .../config/DhisWebCommonsWebSecurityConfig.java | 6 ------ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/security/config/DhisWebApiWebSecurityConfig.java b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/security/config/DhisWebApiWebSecurityConfig.java index 8ba9a9a57324..1bdbb9ac5e16 100644 --- a/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/security/config/DhisWebApiWebSecurityConfig.java +++ b/dhis-2/dhis-web-api/src/main/java/org/hisp/dhis/webapi/security/config/DhisWebApiWebSecurityConfig.java @@ -434,6 +434,12 @@ private void configureAccessRestrictions( // migrated .antMatchers("/index.html") .permitAll() + .antMatchers("/external-static/**") + .permitAll() + .antMatchers("/favicon.ico") + .permitAll() + .antMatchers("/oauth2/**") + .permitAll() .antMatchers(apiContextPath + "/authentication/login") .permitAll() .antMatchers(apiContextPath + "/account/recovery") @@ -442,12 +448,16 @@ private void configureAccessRestrictions( .permitAll() .antMatchers(apiContextPath + "/account") .permitAll() - .antMatchers(apiContextPath + "/staticContent/*") + .antMatchers(apiContextPath + "/staticContent/**") .permitAll() - .antMatchers(apiContextPath + "/externalFileResources/*") + .antMatchers(apiContextPath + "/externalFileResources/**") .permitAll() .antMatchers(apiContextPath + "/icons/*/icon.svg") .permitAll() + .antMatchers(apiContextPath + "/files/style/external") + .permitAll() + .antMatchers(apiContextPath + "/publicKeys/**") + .permitAll() .anyRequest() .authenticated() .accessDecisionManager(apiAccessDecisionManager()); diff --git a/dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/config/DhisWebCommonsWebSecurityConfig.java b/dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/config/DhisWebCommonsWebSecurityConfig.java index 35bd9efd7894..67f8fd341ca9 100644 --- a/dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/config/DhisWebCommonsWebSecurityConfig.java +++ b/dhis-2/dhis-web/dhis-web-commons/src/main/java/org/hisp/dhis/security/config/DhisWebCommonsWebSecurityConfig.java @@ -149,8 +149,6 @@ protected void configure(HttpSecurity http) throws Exception { .permitAll() .antMatchers("/impersonate") .hasAnyAuthority("ALL", "F_IMPERSONATE_USER") - .antMatchers("/api/staticContent/**") - .permitAll() .antMatchers("/dhis-web-commons/oidc/**") .permitAll() .antMatchers("/dhis-web-commons/javascripts/**") @@ -161,14 +159,10 @@ protected void configure(HttpSecurity http) throws Exception { .permitAll() .antMatchers("/dhis-web-commons/fonts/**") .permitAll() - .antMatchers("/api/files/style/external") - .permitAll() .antMatchers("/external-static/**") .permitAll() .antMatchers("/favicon.ico") .permitAll() - .antMatchers("/api/publicKeys/**") - .permitAll() // Dynamic content .antMatchers("/dhis-web-commons/i18nJavaScript.action") .permitAll()