Merge pull request #1594 from CMSgov/QPPA-11206

ckawell-sb · web-flow · commit d0b3b5c64a65 · 2026-02-06T13:50:03.000-06:00
QPPA-11206 Revert SecurityConfig removal
diff --git a/rest-api/src/main/java/gov/cms/qpp/conversion/api/config/SecurityConfig.java b/rest-api/src/main/java/gov/cms/qpp/conversion/api/config/SecurityConfig.java
@@ -1,13 +1,52 @@
 package gov.cms.qpp.conversion.api.config;
 
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.web.bind.annotation.CrossOrigin;
+
+import gov.cms.qpp.conversion.api.security.JwtAuthorizationFilter;
+
+import java.util.Set;
 
 /**
  * Web Security Configuration
  */
 @Configuration
 @EnableWebSecurity
+@CrossOrigin(origins="*")
 @EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
-public class SecurityConfig { }
+public class SecurityConfig {
+
+    private static final String PCF_WILDCARD = "/pcf/**";
+
+    @Value("${ORG_NAME:" + JwtAuthorizationFilter.DEFAULT_ORG_NAME + "}")
+	protected String orgName;
+
+	@Value("${RTI_ORG_NAME:" + JwtAuthorizationFilter.DEFAULT_RTI_ORG + "}")
+	protected String rtiOrgName;
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http.securityMatcher(PCF_WILDCARD)
+            .authorizeRequests()
+			.anyRequest().authenticated()
+			.and()
+            .csrf(csrf -> csrf.disable())
+            .addFilterAt(new JwtAuthorizationFilter(Set.of(orgName, rtiOrgName)), BasicAuthenticationFilter.class)
+            .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+			.headers(headers -> headers
+				.contentSecurityPolicy(csp -> csp
+					.policyDirectives("script-src 'self'")
+				)
+            );
+
+        return http.build();
+    }
+}
