From 041681b27cc018a0cf95e8842e1751b660eb8482 Mon Sep 17 00:00:00 2001
From: ThanKarab <tkarabatsis@hotmail.com>
Date: Wed, 18 Nov 2020 08:02:28 -0800
Subject: [PATCH] XSRF protection added.
---
.../configurations/SecurityConfiguration.java | 52 ++++++++++++++++---
src/main/resources/application.yml | 2 +-
2 files changed, 47 insertions(+), 7 deletions(-)
diff --git a/src/main/java/eu/hbp/mip/configurations/SecurityConfiguration.java b/src/main/java/eu/hbp/mip/configurations/SecurityConfiguration.java
index 82f237726..4e2905945 100644
--- a/src/main/java/eu/hbp/mip/configurations/SecurityConfiguration.java
+++ b/src/main/java/eu/hbp/mip/configurations/SecurityConfiguration.java
@@ -14,11 +14,22 @@ import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.csrf.CsrfFilter;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.WebUtils;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
@Controller
@@ -39,10 +50,6 @@ public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter
super.configure(http);
if (authenticationEnabled) {
-
- if(!deployedOnProduction)
- http.csrf().disable();
-
http.authorizeRequests()
.antMatchers(
"/sso/login",
@@ -53,11 +60,44 @@ public class SecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter
} else {
http.antMatcher("/**")
.authorizeRequests()
- .antMatchers("/**").permitAll()
- .and().csrf().disable();
+ .antMatchers("/**").permitAll();
+ }
+
+ if (!deployedOnProduction) {
+ // If deployed for development, csrf can be disabled
+ http.csrf().disable();
+ } else {
+ http.csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())
+ .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
}
+ private Filter csrfHeaderFilter() {
+ return new OncePerRequestFilter() {
+ @Override
+ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
+ FilterChain filterChain) throws ServletException, IOException {
+ CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+ if (csrf != null) {
+ Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
+ String token = csrf.getToken();
+ if (cookie == null || token != null && !token.equals(cookie.getValue())) {
+ cookie = new Cookie("XSRF-TOKEN", token);
+ cookie.setPath("/");
+ response.addCookie(cookie);
+ }
+ }
+ filterChain.doFilter(request, response);
+ }
+ };
+ }
+
+ private CsrfTokenRepository csrfTokenRepository() {
+ HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
+ repository.setHeaderName("X-XSRF-TOKEN");
+ return repository;
+ }
+
@Autowired
private HttpServletRequest request;
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 076ed3b59..a62d819f6 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -16,7 +16,7 @@ authentication:
### RELEASE STAGE ###
release_stage:
- production: false
+ production: true
### DATABASE CONFIGURATION ###
--
GitLab