diff --git a/oc-sso-notificatie/pom.xml b/oc-sso-notificatie/pom.xml
index fb9eba8..8b9a170 100644
--- a/oc-sso-notificatie/pom.xml
+++ b/oc-sso-notificatie/pom.xml
@@ -59,6 +59,12 @@
jackson-databind
+
+ org.apache.commons
+ commons-lang3
+ ${commons-lang3.version}
+
+
net.logstash.logback
logstash-logback-encoder
@@ -74,7 +80,7 @@
co.elastic.logging
logback-ecs-encoder
- ${ecs-logging-java.version}
+ ${logback-ecs-encoder.version}
diff --git a/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/config/WebSecurityConfig.java b/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/config/WebSecurityConfig.java
index 732b4c5..dca7fca 100644
--- a/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/config/WebSecurityConfig.java
+++ b/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/config/WebSecurityConfig.java
@@ -38,6 +38,9 @@ public class WebSecurityConfig {
@Value("${management.security.roles:#{null}}")
private String managementSecurityRoles;
+ @Value("${security.headers.enabled}")
+ private Boolean securityHeadersEnabled;
+
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// This application only contains public pages. The Spring Boot Actuator Endpoints can be protected by the
@@ -48,15 +51,16 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
.anyRequest().permitAll()
).httpBasic(Customizer.withDefaults());
} else {
- http.authorizeHttpRequests(authz -> authz
- .anyRequest().permitAll());
+ http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
}
// We have to disable the X-Frame-Options since this SSO Notification service can be invoked within an iframe.
// Disable all security headers so this service can be invoked within 3rd-party applications.
- http.headers(headers -> headers
- .frameOptions(Customizer.withDefaults())
- .disable());
+ if (!securityHeadersEnabled) {
+ http.headers(headers -> headers
+ .frameOptions(Customizer.withDefaults())
+ .disable());
+ }
return http.build();
}
diff --git a/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/service/CookiesHandler.java b/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/service/CookiesHandler.java
index 1fc6f64..3b58af9 100644
--- a/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/service/CookiesHandler.java
+++ b/oc-sso-notificatie/src/main/java/nl/kennisnet/services/web/service/CookiesHandler.java
@@ -22,7 +22,7 @@
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
-import net.logstash.logback.encoder.org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
import nl.kennisnet.services.web.model.CookieValueDTO;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
diff --git a/oc-sso-notificatie/src/test/resources/application.properties b/oc-sso-notificatie/src/test/resources/application.properties
index 863a032..0f4d636 100644
--- a/oc-sso-notificatie/src/test/resources/application.properties
+++ b/oc-sso-notificatie/src/test/resources/application.properties
@@ -14,6 +14,9 @@
# limitations under the License.
#
+# Security headers - set to false to drop security headers and enhance interoperability between domains
+security.headers.enabled=false
+
# API settings
# Url of the API which returns the SSO notification information by id.
api.endpoint.url=http://localhost:3000/api/sso-notification
diff --git a/pom.xml b/pom.xml
index 1735e7e..771c492 100644
--- a/pom.xml
+++ b/pom.xml
@@ -38,25 +38,25 @@
2021
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 3.5.4
+
+
UTF-8
17
1.5
0.8.10
- 12.1.1
- 1.6.0
- 5.3
+ 12.1.3
+ 1.7.0
+ 7.4
2.8
2.5.3
3.8.2
-
- org.springframework.boot
- spring-boot-starter-parent
- 3.4.7
-
-
diff --git a/release/pom.xml b/release/pom.xml
index 9c665b4..bbd0c20 100644
--- a/release/pom.xml
+++ b/release/pom.xml
@@ -31,7 +31,7 @@
- 2.3.5,2.3.4,2.3.3,2.3.2,2.3.1,2.3.0,2.2.1,2.2.0,2.1.1,2.1.0,2.0.6,2.0.5,2.0.4,2.0.3,2.0.2,2.0.1,1.0.0
+ 2.3.6,2.3.5,2.3.4,2.3.3,2.3.2,2.3.1,2.3.0,2.2.1,2.2.0,2.1.1,2.1.0,2.0.6,2.0.5,2.0.4,2.0.3,2.0.2,2.0.1,1.0.0
diff --git a/release/src/main/resources/sample/config/application.properties b/release/src/main/resources/sample/config/application.properties
index 4398afc..6202b17 100644
--- a/release/src/main/resources/sample/config/application.properties
+++ b/release/src/main/resources/sample/config/application.properties
@@ -17,6 +17,9 @@
# The port Tomcat will listen to
server.port=8083
+# Security headers - set to false to drop security headers and enhance interoperability between domains
+security.headers.enabled=false
+
# API settings
# Url of the API which returns the SSO notification information by id.
api.endpoint.url=
diff --git a/release/src/site/markdown/docs/2.3.6/release-notes.md b/release/src/site/markdown/docs/2.3.6/release-notes.md
new file mode 100644
index 0000000..96080bd
--- /dev/null
+++ b/release/src/site/markdown/docs/2.3.6/release-notes.md
@@ -0,0 +1,30 @@
+# OC SSO Notification Service - Release Notes
+
+| Field | Value |
+|:--------------------------|:----------------------------|
+| Application | OC SSO Notification Service |
+| Version | 2.3.6 |
+| Changes since version | 2.3.5 |
+| Release date | 05-08-2025 (dd-mm-yyyy) |
+| Delivery type | Full release |
+
+## Changes
+
+| # | Description |
+|:---------|:----------------------------------------|
+| ENT-5230 | Build release OC SSO Notification 2.3.6 |
+
+
+## Configuration changes
+
+An additional parameter is added to control the setting of security headers.
+
+ # Security headers - set to false to drop security headers and enhance interoperability between domains
+ security.headers.enabled=false
+
+If set to true, the headers will be set and security will be enhanced. This may affect the interoperability of the
+application between domains.
+
+## Known vulnerabilities
+
+At the time of release, this version of the application had no known vulnerabilities with a CVE of 7 or higher.