fix spring security warning

[mshima]

Fix

2022-07-18 22:36:52.353  WARN 80665 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/**', OPTIONS]. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-07-18 22:36:52.353  WARN 80665 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/app/**/*.{js,html}']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-07-18 22:36:52.353  WARN 80665 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/i18n/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-07-18 22:36:52.354  WARN 80665 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/content/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-07-18 22:36:52.354  WARN 80665 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/h2-console/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-07-18 22:36:52.354  WARN 80665 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/swagger-ui/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2022-07-18 22:36:52.354  WARN 80665 --- [  restartedMain] o.s.s.c.a.web.builders.WebSecurity       : You are asking Spring Security to ignore Ant [pattern='/test/**']. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.

---

Please make sure the below checklist is followed for Pull Requests.

• All continuous integration tests are green
• Tests are added where necessary
• The JDL part is updated if necessary
• jhipster-online is updated if necessary
• Documentation is added/updated where necessary
• Coding Rules & Commit Guidelines as per our CONTRIBUTING.md document are followed

When you are still working on the PR, consider converting it to Draft (below reviewers) and adding skip-ci label, you can still see CI build result at your branch.

[atomfrede]

Still in draft for the reactive part I guess?

[mshima]

It was late yesterday, couldn’t check the build result.
Looks ok.
I don’t think those warnings happens at reactive.

[atomfrede]

I didn't check but at least it seems to be(?). I am not sure what my comment about the csp was, need to check my sample again. #18534

[mshima]

I didn’t saw that bug report. 😕
I will do more tests with swagger and h2 later today.
The others routes should be fine.

[atomfrede]

Awesome. I also remember h2 and swagger only. Everything else should also be found our integration/e2e tests.

[mshima]

Indeed h2-console and swagger-ui breaks with this PR.
Switching

generator-jhipster/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs

Line 213 in 91358fc

.deny()

to sameOrigin() seems to fix them.

Microservice:

• h2-console: need to check if it's accessible.
• swagger-ui: doesn't exist.

Microfrontend:

• h2-console: should be ok if accessing using dev server (need to confirm).
• swagger-ui: should be ok if accessing using dev server (need to confirm).