From 8bb8fddf40f26a972e0e7344ec5a4807618638a1 Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Thu, 25 Apr 2024 20:13:20 +0200
Subject: [PATCH 1/2] SecurityConfiguration: deprecated authorizeRequests
 replaced with authorizeHttpRequests

---
 .../server/config/TbRuleEngineSecurityConfiguration.java   | 7 ++++---
 .../server/config/ThingsboardSecurityConfiguration.java    | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java b/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java
index e1ab755036..15d33c7fcb 100644
--- a/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java
+++ b/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java
@@ -40,9 +40,10 @@ public class TbRuleEngineSecurityConfiguration {
                         .frameOptions(config -> {}).disable())
                 .cors(cors -> {})
                 .csrf(AbstractHttpConfigurer::disable)
-                .authorizeRequests()
-                .requestMatchers("/actuator/prometheus").permitAll()
-                .anyRequest().authenticated();
+                .authorizeHttpRequests(config -> config
+                        .requestMatchers("/actuator/prometheus").permitAll())
+                .authorizeHttpRequests(config -> config
+                        .anyRequest().authenticated());
         return http.build();
     }
 }
diff --git a/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java b/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
index c27ca35313..67c14ce656 100644
--- a/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
+++ b/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
@@ -209,7 +209,7 @@ public class ThingsboardSecurityConfiguration {
                 .csrf(AbstractHttpConfigurer::disable)
                 .exceptionHandling(config -> {})
                 .sessionManagement(config -> config.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
-                .authorizeRequests(config -> config
+                .authorizeHttpRequests(config -> config
                         .requestMatchers(WEBJARS_ENTRY_POINT).permitAll() // Webjars
                         .requestMatchers(DEVICE_API_ENTRY_POINT).permitAll() // Device HTTP Transport API
                         .requestMatchers(FORM_BASED_LOGIN_ENTRY_POINT).permitAll() // Login end-point
@@ -218,7 +218,7 @@ public class ThingsboardSecurityConfiguration {
                         .requestMatchers(MAIL_OAUTH2_PROCESSING_ENTRY_POINT).permitAll() // Mail oauth2 code processing url
                         .requestMatchers(DEVICE_CONNECTIVITY_CERTIFICATE_DOWNLOAD_ENTRY_POINT).permitAll() // Device connectivity certificate (public)
                         .requestMatchers(NON_TOKEN_BASED_AUTH_ENTRY_POINTS).permitAll()) // static resources, user activation and password reset end-points
-                .authorizeRequests(config -> config
+                .authorizeHttpRequests(config -> config
                         .requestMatchers(WS_ENTRY_POINT).permitAll() // Protected WebSocket API End-points
                         .requestMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated()) // Protected API End-points
                 .exceptionHandling(config -> config.accessDeniedHandler(restAccessDeniedHandler))

From abf85cb9b859c649c2f51e23b4c49b194a51aedb Mon Sep 17 00:00:00 2001
From: Sergey Matvienko <smatvienko@thingsboard.io>
Date: Fri, 26 Apr 2024 22:03:26 +0200
Subject: [PATCH 2/2] SecurityConfiguration fixed and refactored based on
 manual testing results on QA env

---
 .../server/config/TbRuleEngineSecurityConfiguration.java   | 3 +--
 .../server/config/ThingsboardSecurityConfiguration.java    | 7 ++++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java b/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java
index 15d33c7fcb..15171ba0c7 100644
--- a/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java
+++ b/application/src/main/java/org/thingsboard/server/config/TbRuleEngineSecurityConfiguration.java
@@ -41,8 +41,7 @@ public class TbRuleEngineSecurityConfiguration {
                 .cors(cors -> {})
                 .csrf(AbstractHttpConfigurer::disable)
                 .authorizeHttpRequests(config -> config
-                        .requestMatchers("/actuator/prometheus").permitAll())
-                .authorizeHttpRequests(config -> config
+                        .requestMatchers("/actuator/prometheus").permitAll()
                         .anyRequest().authenticated());
         return http.build();
     }
diff --git a/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java b/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
index 67c14ce656..eda8d3e89d 100644
--- a/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
+++ b/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
@@ -217,10 +217,11 @@ public class ThingsboardSecurityConfiguration {
                         .requestMatchers(TOKEN_REFRESH_ENTRY_POINT).permitAll() // Token refresh end-point
                         .requestMatchers(MAIL_OAUTH2_PROCESSING_ENTRY_POINT).permitAll() // Mail oauth2 code processing url
                         .requestMatchers(DEVICE_CONNECTIVITY_CERTIFICATE_DOWNLOAD_ENTRY_POINT).permitAll() // Device connectivity certificate (public)
-                        .requestMatchers(NON_TOKEN_BASED_AUTH_ENTRY_POINTS).permitAll()) // static resources, user activation and password reset end-points
-                .authorizeHttpRequests(config -> config
+                        .requestMatchers(NON_TOKEN_BASED_AUTH_ENTRY_POINTS).permitAll() // static resources, user activation and password reset end-points
                         .requestMatchers(WS_ENTRY_POINT).permitAll() // Protected WebSocket API End-points
                         .requestMatchers(TOKEN_BASED_AUTH_ENTRY_POINT).authenticated()) // Protected API End-points
+                .formLogin(form -> form
+                        .loginPage("/login").permitAll())
                 .exceptionHandling(config -> config.accessDeniedHandler(restAccessDeniedHandler))
                 .addFilterBefore(buildRestLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
                 .addFilterBefore(buildRestPublicLoginProcessingFilter(), UsernamePasswordAuthenticationFilter.class)
@@ -243,7 +244,7 @@ public class ThingsboardSecurityConfiguration {
     @Bean
     @ConditionalOnMissingBean(CorsFilter.class)
     public CorsFilter corsFilter(@Autowired MvcCorsProperties mvcCorsProperties) {
-        if (mvcCorsProperties.getMappings().size() == 0) {
+        if (mvcCorsProperties.getMappings().isEmpty()) {
             return new CorsFilter(new UrlBasedCorsConfigurationSource());
         } else {
             UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();