fix: deny access by default and remove default access token

intranda · Sep 5, 2024 · 338ea61 · 338ea61
1 parent b802439
commit 338ea61
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/module-core/src/main/java/io/goobi/vocabulary/security/BearerTokenAuthFilter.java b/module-core/src/main/java/io/goobi/vocabulary/security/BearerTokenAuthFilter.java
@@ -19,10 +19,10 @@
 
 @Component
 public class BearerTokenAuthFilter extends OncePerRequestFilter {
-    @Value("${security.token}")
+    @Value("${security.token:#{null}")
     private String secretToken;
 
-    @Value("${security.anonymous.read-allowed}")
+    @Value("${security.anonymous.read-allowed:false}")
     private boolean anonymousReadAllowed;
 
     @Bean
@@ -64,6 +64,10 @@ private boolean isPublic(HttpServletRequest request) {
     }
 
     private boolean isTokenValid(String accessToken) {
+        // If secret token is not set, deny
+        if (secretToken == null) {
+            return false;
+        }
         return secretToken.equals(accessToken);
     }
 }
diff --git a/module-core/src/main/resources/application.properties b/module-core/src/main/resources/application.properties
@@ -3,10 +3,12 @@
 
 # Security
 # Only listen on local address. Remove this line, if you want to open the vocabulary server to the public.
-# ATTENTION: Currently, there is no security in the vocabulary server. Every caller of the API can do anything!
 #server.address=127.0.0.1
-security.token=secret
-security.anonymous.read-allowed=false
+
+# Set a security token! If not set, you won't be able to make modifying API calls
+#security.token=secret
+# Control anonymous read operations. If set to false or not set, anonymous readers will not get access
+#security.anonymous.read-allowed=true
 
 # Basic configuration
 # The port the vocabulary server should listen on