Skip to content
Snippets Groups Projects
Commit 041681b2 authored by ThanKarab's avatar ThanKarab
Browse files

XSRF protection added.

parent d8351d20
No related branches found
No related tags found
1 merge request!19Feat/186 experiment refactor
......@@ -14,11 +14,22 @@ import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.WebUtils;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Controller
......@@ -39,10 +50,6 @@ public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter
super.configure(http);
if (authenticationEnabled) {
if(!deployedOnProduction)
http.csrf().disable();
http.authorizeRequests()
.antMatchers(
"/sso/login",
......@@ -53,11 +60,44 @@ public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter
} else {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/**").permitAll()
.and().csrf().disable();
.antMatchers("/**").permitAll();
}
if (!deployedOnProduction) {
// If deployed for development, csrf can be disabled
http.csrf().disable();
} else {
http.csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Autowired
private HttpServletRequest request;
......
......@@ -16,7 +16,7 @@ authentication:
### RELEASE STAGE ###
release_stage:
production: false
production: true
### DATABASE CONFIGURATION ###
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment