javier/Stirling-PDF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

csrf fix #1997

Browse Source
This commit is contained in:
Anthony Stirling
2024-10-07 11:50:07 +01:00
parent daf4f49050
commit 496fcad698
1 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
View File

@@ -12,7 +12,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@@ -81,7 +80,9 @@ public class SecurityConfiguration {
if (loginEnabledValue) { if (loginEnabledValue) {
http.addFilterBefore( http.addFilterBefore(
userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
http.csrf(csrf -> csrf.disable()); if(applicationProperties.getSecurity().getCsrfDisabled()) {
http.csrf(csrf -> csrf.disable());
}
http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class); http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class);
http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class); http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class);
http.sessionManagement( http.sessionManagement(
@@ -219,8 +220,10 @@ public class SecurityConfiguration {
userAuthenticationFilter, Saml2WebSsoAuthenticationFilter.class); userAuthenticationFilter, Saml2WebSsoAuthenticationFilter.class);
} }
} else { } else {
http.csrf(csrf -> csrf.disable()) if(applicationProperties.getSecurity().getCsrfDisabled()) {
.authorizeHttpRequests(authz -> authz.anyRequest().permitAll()); http.csrf(csrf -> csrf.disable());
}
http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
} }
return http.build(); return http.build();
@@ -270,12 +273,13 @@ public class SecurityConfiguration {
return true; return true;
} }
// // Only Dev test // // Only Dev test
// @Bean // @Bean
// public WebSecurityCustomizer webSecurityCustomizer() { // public WebSecurityCustomizer webSecurityCustomizer() {
// return (web) -> // return (web) ->
// web.ignoring() // web.ignoring()
// .requestMatchers( // .requestMatchers(
// "/css/**", "/images/**", "/js/**", "/**.svg", "/pdfjs-legacy/**"); // "/css/**", "/images/**", "/js/**", "/**.svg",
// } // "/pdfjs-legacy/**");
// }
} }