XSRF protection added.

041681b2 · ThanKarab · d8351d20 · 041681b2 · 041681b2
Commit 041681b2 authored 4 years ago by ThanKarab
--- a/src/main/java/eu/hbp/mip/configurations/SecurityConfiguration.java
+++ b/src/main/java/eu/hbp/mip/configurations/SecurityConfiguration.java
@@ -14,11 +14,22 @@ import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper
 import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.WebUtils;

+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;


 @Controller
@@ -39,10 +50,6 @@ public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter
        super.configure(http);

        if (authenticationEnabled) {
-
-            if(!deployedOnProduction)
-                http.csrf().disable();
-
            http.authorizeRequests()
                    .antMatchers(
                            "/sso/login",
@@ -53,11 +60,44 @@ public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter
        } else {
            http.antMatcher("/**")
                    .authorizeRequests()
-                    .antMatchers("/**").permitAll()
-                    .and().csrf().disable();
+                    .antMatchers("/**").permitAll();
+        }
+
+        if (!deployedOnProduction) {
+            // If deployed for development, csrf can be disabled
+            http.csrf().disable();
+        } else {
+            http.csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
+                    .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
        }
    }

+    private Filter csrfHeaderFilter() {
+        return new OncePerRequestFilter() {
+            @Override
+            protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
+                                            FilterChain filterChain) throws ServletException, IOException {
+                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+                if (csrf != null) {
+                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
+                    String token = csrf.getToken();
+                    if (cookie == null || token != null && !token.equals(cookie.getValue())) {
+                        cookie = new Cookie("XSRF-TOKEN", token);
+                        cookie.setPath("/");
+                        response.addCookie(cookie);
+                    }
+                }
+                filterChain.doFilter(request, response);
+            }
+        };
+    }
+
+    private CsrfTokenRepository csrfTokenRepository() {
+        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
+        repository.setHeaderName("X-XSRF-TOKEN");
+        return repository;
+    }
+
    @Autowired
    private HttpServletRequest request;


--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -16,7 +16,7 @@ authentication:

 ### RELEASE STAGE ###
 release_stage:
-  production: false
+  production: true


 ### DATABASE CONFIGURATION ###