Ensure /websocket/tracker/ cant bypass

AuthoritiesConstants.ADMIN restriction Fix #13439
jhipster · Jan 8, 2021 · 75254b3 · 75254b3
1 parent 85081b0
commit 75254b3
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs b/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs
@@ -273,7 +273,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
             .antMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
             .antMatchers("/api/**").authenticated()
     <%_ if (websocket === 'spring-websocket') { _%>
-            .antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
+            .mvcMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
             .antMatchers("/websocket/**").permitAll()
     <%_ } _%>
             .antMatchers("/management/health").permitAll()

diff --git a/generators/server/templates/src/main/java/package/config/UaaConfiguration.java.ejs b/generators/server/templates/src/main/java/package/config/UaaConfiguration.java.ejs
@@ -107,7 +107,7 @@ public class UaaConfiguration extends AuthorizationServerConfigurerAdapter imple
                 .antMatchers("/api/account/reset-password/init").permitAll()
                 .antMatchers("/api/account/reset-password/finish").permitAll()
                 .antMatchers("/api/**").authenticated()<% if (websocket === 'spring-websocket') { %>
-                .antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
+                .mvcMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
                 .antMatchers("/websocket/**").permitAll()<% } %>
                 .antMatchers("/management/health").permitAll()
                 .antMatchers("/management/health/**").permitAll()