From 496fcad698091e40fcf4711b3966c0e0725d17bd Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com.>
Date: Mon, 7 Oct 2024 11:50:07 +0100
Subject: [PATCH] csrf fix #1997

---
 .../security/SecurityConfiguration.java       | 28 +++++++++++--------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java b/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
index 24ddcfa3..f3924eeb 100644
--- a/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
+++ b/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
@@ -12,7 +12,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@@ -81,7 +80,9 @@ public class SecurityConfiguration {
         if (loginEnabledValue) {
             http.addFilterBefore(
                     userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
-            http.csrf(csrf -> csrf.disable());
+            if(applicationProperties.getSecurity().getCsrfDisabled()) {
+            	http.csrf(csrf -> csrf.disable());
+            }
             http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class);
             http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class);
             http.sessionManagement(
@@ -219,8 +220,10 @@ public class SecurityConfiguration {
                                 userAuthenticationFilter, Saml2WebSsoAuthenticationFilter.class);
             }
         } else {
-            http.csrf(csrf -> csrf.disable())
-                    .authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
+        	if(applicationProperties.getSecurity().getCsrfDisabled()) {
+        		http.csrf(csrf -> csrf.disable());
+        	}
+        	http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
         }
 
         return http.build();
@@ -270,12 +273,13 @@ public class SecurityConfiguration {
         return true;
     }
 
-//    // Only Dev test
-//    @Bean
-//    public WebSecurityCustomizer webSecurityCustomizer() {
-//        return (web) ->
-//                web.ignoring()
-//                        .requestMatchers(
-//                                "/css/**", "/images/**", "/js/**", "/**.svg", "/pdfjs-legacy/**");
-//    }
+    //    // Only Dev test
+    //    @Bean
+    //    public WebSecurityCustomizer webSecurityCustomizer() {
+    //        return (web) ->
+    //                web.ignoring()
+    //                        .requestMatchers(
+    //                                "/css/**", "/images/**", "/js/**", "/**.svg",
+    // "/pdfjs-legacy/**");
+    //    }
 }