Fix csrf (#2126)

* apply fix * Fixes empty th:action * Update build.gradle * fix * formatting --------- Co-authored-by: Dimitrios Kaitantzidis <james_k23@hotmail.gr>
2024-10-29 17:56:29 +00:00
parent c39b111edc
commit 903dc7638c
17 changed files with 41 additions and 16 deletions
--- a/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
+++ b/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
@@ -36,6 +36,8 @@ import org.springframework.security.saml2.provider.service.web.authentication.Sa
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.savedrequest.NullRequestCache;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@@ -94,6 +96,16 @@ public class SecurityConfiguration {
                    userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
            if (applicationProperties.getSecurity().getCsrfDisabled()) {
                http.csrf(csrf -> csrf.disable());
+            } else {
+                CookieCsrfTokenRepository cookieRepo =
+                        CookieCsrfTokenRepository.withHttpOnlyFalse();
+                CsrfTokenRequestAttributeHandler requestHandler =
+                        new CsrfTokenRequestAttributeHandler();
+                requestHandler.setCsrfRequestAttributeName(null);
+                http.csrf(
+                        csrf ->
+                                csrf.csrfTokenRepository(cookieRepo)
+                                        .csrfTokenRequestHandler(requestHandler));
            }
            http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class);
            http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class);
@@ -113,6 +125,7 @@ public class SecurityConfiguration {
                            logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                                    .logoutSuccessHandler(
                                            new CustomLogoutSuccessHandler(applicationProperties))
+                                    .clearAuthentication(true)
                                    .invalidateHttpSession(true) // Invalidate session
                                    .deleteCookies("JSESSIONID", "remember-me"));
            http.rememberMe(
@@ -223,6 +236,16 @@ public class SecurityConfiguration {
        } else {
            if (applicationProperties.getSecurity().getCsrfDisabled()) {
                http.csrf(csrf -> csrf.disable());
+            } else {
+                CookieCsrfTokenRepository cookieRepo =
+                        CookieCsrfTokenRepository.withHttpOnlyFalse();
+                CsrfTokenRequestAttributeHandler requestHandler =
+                        new CsrfTokenRequestAttributeHandler();
+                requestHandler.setCsrfRequestAttributeName(null);
+                http.csrf(
+                        csrf ->
+                                csrf.csrfTokenRepository(cookieRepo)
+                                        .csrfTokenRequestHandler(requestHandler));
            }
            http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll());
        }