Skip to content

[PRM-712] Upgraded re-registration-service dependencies#294

Open
AndyFlintAnswerDigital wants to merge 17 commits intomainfrom
PRM-712
Open

[PRM-712] Upgraded re-registration-service dependencies#294
AndyFlintAnswerDigital wants to merge 17 commits intomainfrom
PRM-712

Conversation

@AndyFlintAnswerDigital
Copy link
Contributor

@AndyFlintAnswerDigital AndyFlintAnswerDigital commented Mar 16, 2026

No description provided.

AndyFlintAnswerDigital and others added 16 commits January 27, 2026 16:27
@AndyFlintAnswerDigital
[PRM-666] Upgraded all dependencies (WIP)
6c6f891
@AndyFlintAnswerDigital
[PRM-666] Upgraded all dependencies to latest, having issues with AWS…
82964dc 
… SDK v1
@AndyFlintAnswerDigital
[PRM-666] Upgraded all AWS SDK dependencies to V2 (WIP)
3341797
@AndyFlintAnswerDigital
[PRM-666] Fixing broken integration tests
46ff670
@AndyFlintAnswerDigital
[PRM-666] Updated test logging config
75ef8bb
@AndyFlintAnswerDigital
[PRM-666] Removed redundant makefile
d32bac1
@AndyFlintAnswerDigital
[PRM-666] Upgraded to Spring Boot 4
615911c
@AndyFlintAnswerDigital
[PRM-666] Removed aws-helpers
216a9c0
@AndyFlintAnswerDigital
[PRM-666] Set ehr-transfer-service Dockerfile to alpine 3.23
8d51057
@AndyFlintAnswerDigital
Merge branch 'main' into PRM-666
089d1f6
@AndyFlintAnswerDigital
[PRM-666] Upgraded sonarqube in ehr-transfer-service
c2286ce
@AndyFlintAnswerDigital
[PRM-714] Removed health check tests and marked health checks for del…
de5dd26 
…etion
@AndyFlintAnswerDigital
[PRM-713] Upgraded to Gradle 8 & Spring Boot 3.5
6fc6655
@AndyFlintAnswerDigital
[PRM-713] Upgraded to Spring Boot 4, Java 25 and Gradle 9.3
a1e8c6d
@AndyFlintAnswerDigital
[PRM-712] Upgraded to Spring Boot 3.5, updated tasks file
a4aa771
@AndyFlintAnswerDigital
[PRM-712] Upgraded to Java 25, Spring Boot 4 and Gradle 9.3
4c77586
@AndyFlintAnswerDigital AndyFlintAnswerDigital requested a review from a team as a code owner March 16, 2026 21:23
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 16, 2026
View reviewed changes
...pds-adaptor/src/main/java/uk/nhs/prm/deductions/pdsadaptor/configuration/SecurityConfig.java
Comment on lines +98 to +99
http
.csrf(AbstractHttpConfigurer::disable)

Check failure

Code scanning / CodeQL

Disabled Spring CSRF protection High

CSRF vulnerability due to protection being disabled.

Copilot Autofix

AI 4 days ago

In general, the fix is to avoid globally disabling CSRF. Instead, either (a) keep CSRF enabled (Spring’s default) and ensure state-changing requests from browsers use CSRF tokens, or (b) if the service really is stateless and only used by non-browser clients, explicitly document and constrain that, and selectively disable CSRF only for those endpoints or authentication mechanisms where it is safe.

For this specific code, the minimal, functionality-preserving change is to remove the explicit .csrf(AbstractHttpConfigurer::disable) call and allow Spring Security’s default CSRF configuration. This will re-enable CSRF protection. Because the code uses SessionCreationPolicy.STATELESS and HTTP Basic, re-enabling CSRF might block unsafe HTTP methods if used from a browser without CSRF tokens; however, that is precisely the protection we want if browsers are clients. Since we must not assume any framework changes elsewhere, the safest change inside this file is simply to delete the disabling call and leave the rest of the chain intact. No additional imports or methods are required.

Concretely:

  • Edit securityFilterChain in SecurityConfig.java.
  • Remove the line .csrf(AbstractHttpConfigurer::disable) from the http configuration chain.
  • Keep session management, HTTP Basic, and authorization rules unchanged.
Suggested changeset 1
services/pds-adaptor/src/main/java/uk/nhs/prm/deductions/pdsadaptor/configuration/SecurityConfig.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/services/pds-adaptor/src/main/java/uk/nhs/prm/deductions/pdsadaptor/configuration/SecurityConfig.java b/services/pds-adaptor/src/main/java/uk/nhs/prm/deductions/pdsadaptor/configuration/SecurityConfig.java
--- a/services/pds-adaptor/src/main/java/uk/nhs/prm/deductions/pdsadaptor/configuration/SecurityConfig.java
+++ b/services/pds-adaptor/src/main/java/uk/nhs/prm/deductions/pdsadaptor/configuration/SecurityConfig.java
@@ -96,7 +96,6 @@
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         http
-            .csrf(AbstractHttpConfigurer::disable)
             .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
             .httpBasic(Customizer.withDefaults())
             .authorizeHttpRequests(auth -> auth
EOF
@@ -96,7 +96,6 @@
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.httpBasic(Customizer.withDefaults())
.authorizeHttpRequests(auth -> auth
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AndyFlintAnswerDigital