Merge pull request #234 from companieshouse/SAN-308-styles-not-loaded…

…-when-user-not-logged-in SAN-308 Remove styelesheets and images access from authentication
companieshouse · Feb 24, 2025 · 5f595b5 · 5f595b5
2 parents 9dc51da + 12a6a88
commit 5f595b5
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/src/main/java/uk/gov/companieshouse/web/pps/security/WebSecurity.java b/src/main/java/uk/gov/companieshouse/web/pps/security/WebSecurity.java
@@ -68,6 +68,22 @@ public SecurityFilterChain scheduledServiceDownSecurityFilterChain(final HttpSec
 
     @Bean
     @Order(7)
+    public SecurityFilterChain stylesheetsSecurityFilterChain(final HttpSecurity http) throws Exception {
+        return configureWebCsrfMitigations(
+                http.securityMatcher("/late-filing-penalty/stylesheets/**")
+        ).build();
+    }
+
+    @Bean
+    @Order(8)
+    public SecurityFilterChain imagesSecurityFilterChain(final HttpSecurity http) throws Exception {
+        return configureWebCsrfMitigations(
+                http.securityMatcher("/late-filing-penalty/images/**")
+        ).build();
+    }
+
+    @Bean
+    @Order(9)
     public SecurityFilterChain ppsWebSecurityFilterConfig(HttpSecurity http) throws Exception {
         return configureWebCsrfMitigations(
                 http.securityMatcher("/late-filing-penalty/**")

diff --git a/src/test/java/uk/gov/companieshouse/web/pps/security/WebsecurityTests.java b/src/test/java/uk/gov/companieshouse/web/pps/security/WebsecurityTests.java
@@ -78,4 +78,18 @@ void scheduledServiceDownSecurityFilterChainTest() throws Exception {
         assertEquals(webSecurity.scheduledServiceDownSecurityFilterChain(httpSecurity), httpSecurity.build());
     }
 
+    @Test
+    @DisplayName(" apply security filter to /late-filing-penalty/stylesheets/**")
+    void stylesheetsFilterChainTest() throws Exception {
+        when(httpSecurity.securityMatcher("/late-filing-penalty/stylesheets/**")).thenReturn(httpSecurity);
+        assertEquals(webSecurity.stylesheetsSecurityFilterChain(httpSecurity), httpSecurity.build());
+    }
+
+    @Test
+    @DisplayName(" apply security filter to /late-filing-penalty/images/**")
+    void imagesFilterChainTest() throws Exception {
+        when(httpSecurity.securityMatcher("/late-filing-penalty/images/**")).thenReturn(httpSecurity);
+        assertEquals(webSecurity.imagesSecurityFilterChain(httpSecurity), httpSecurity.build());
+    }
+
 }