First steps on csfr impl

2024-10-05 17:58:36 +02:00 · 2022-02-19 12:39:38 -08:00 · 2022-02-19 12:39:38 -08:00 · e1bd2630aa
commit e1bd2630aa
parent bea7bea486
5 changed files with 3908 additions and 18 deletions
--- a/wise-webapp/out
+++ b/wise-webapp/out
--- a/wise-webapp/pom.xml
+++ b/wise-webapp/pom.xml
@ -17,6 +17,7 @@
        <org.springframework.addons>5.3.5.RELEASE</org.springframework.addons>
        <hibernate.version>5.6.5.Final</hibernate.version>
        <hibernate-validator.version>6.0.21.Final</hibernate-validator.version>
+        <spring-security-taglibs.version>5.6.1</spring-security-taglibs.version>
    </properties>

    <dependencies>
@ -68,6 +69,11 @@
            <version>${org.springframework.version}</version>
            <scope>compile</scope>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-taglibs</artifactId>
+            <version>${spring-security-taglibs.version}</version>
+        </dependency>
        <!-- Hibernate -->
        <dependency>
            <groupId>org.hibernate</groupId>
--- a/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml
+++ b/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml
@ -17,10 +17,6 @@

    <sec:http pattern="/static/webapp/**" security="none"/>
    <sec:http pattern="/static/mindplot/**" security="none"/>
-    <sec:http pattern="/c/login" security="none"/>
-    <sec:http pattern="/c/registration" security="none"/>
-    <sec:http pattern="/c/forgot-password" security="none"/>
-
    <sec:http pattern="/css/**" security="none"/>
    <sec:http pattern="/js/**" security="none"/>
    <sec:http pattern="/images/**" security="none"/>
@ -43,12 +39,13 @@

    <!-- Admin related services that required admin role-->
    <sec:http use-expressions="true" create-session="stateless" pattern="/service/**">
-        <sec:csrf disabled="true"/>
+        <sec:csrf/>

        <!-- Enabled only for cors -->
        <sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>
        <sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>

+        
        <sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>
        <sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>

@ -59,14 +56,15 @@
        <sec:http-basic/>
    </sec:http>

-    <sec:http use-expressions="true">
-        <sec:csrf disabled="true"/>
-        <sec:access-denied-handler error-page="/c/login"/>
-
-        <sec:intercept-url pattern="/c/restful/admin/users/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>
-        <sec:intercept-url pattern="/c/restful/admin/database/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>
+    <sec:http use-expressions="true" pattern="/c/**/*">
+        <sec:intercept-url pattern="/c/login" access="hasRole('ANONYMOUS')"/>
+        <sec:intercept-url pattern="/c/logout" access="hasRole('ANONYMOUS')"/>
+        <sec:intercept-url pattern="/c/registration" access="hasRole('ANONYMOUS')"/>
+        <sec:intercept-url pattern="/c/forgot-password" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/>

+        <sec:csrf/>
+        <sec:access-denied-handler error-page="/c/login"/>
        <sec:form-login login-page="/c/login"
                        authentication-success-handler-ref="authenticationSuccessHandler"
                        always-use-default-target="false"
@ -74,10 +72,16 @@
                        login-processing-url="/c/perform-login"/>

        <!-- Expire in 28 days -->
-        <sec:remember-me  token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
+        <sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
        <sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>
+        <sec:csrf token-repository-ref="tokenRepository"/>
    </sec:http>

+    <bean id="tokenRepository"
+          class="org.springframework.security.web.csrf.CookieCsrfTokenRepository">
+        <property name="cookieHttpOnly" value="true"/>
+    </bean>
+
    <import resource="wisemapping-security-${security.type}.xml"/>

    <bean id="userDetailsService" class="com.wisemapping.security.UserDetailsService">
--- a/wise-webapp/src/main/webapp/jsp/pageHeaders.jsf
+++ b/wise-webapp/src/main/webapp/jsp/pageHeaders.jsf
@ -1,23 +1,25 @@
 <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
+<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="theme-color" content="#000000" />

-    <meta name="author" content="WiseMapping">
-    <meta name="publisher" content="WiseMapping">
+    <meta name="author" content="wisemapping">
+    <meta name="publisher" content="wisemapping">
    <meta name="keywords"
          content="mindmap,mind map,mind maps,mindmaps,ideas,brainstorming,organize,thoughts,structure,collaboration,free,fast,simple,online,tool,knowledge,share,sharing,publish">
    <meta name="description"
-          content="WiseMapping is a free, fast and simple online mind mapping editor for individuals and business. Sign up to start organizing and sharing your ideas and thoughts.">
+          content="wisemapping is a free, fast and simple online mind mapping editor for individuals and business. sign up to start organizing and sharing your ideas and thoughts.">

-    <meta property="og:title" content="WiseMapping"/>
+    <meta property="og:title" content="wisemapping"/>
    <meta property="og:type" content="website"/>
    <meta property="og:url" content="http://www.wisemapping.com"/>
    <meta property="og:image" content="http://www.wisemapping.com/images/logo.png"/>
-    <meta property="og:site_name" content="WiseMapping.com"/>
+    <meta property="og:site_name" content="wisemapping.com"/>

    <link rel="icon" href="../../favicon.ico" type="image/x-icon"/>
    <link rel="apple-touch-icon" href="../../favicon.png" />
    <link rel="shortcut icon" href="../../favicon.ico" type="image/x-icon"/>

+    <sec:csrfMetaTags />
    <link rel="manifest" href="../../manifest.json" />
--- a/wise-webapp/src/main/webapp/jsp/reactInclude.jsp
+++ b/wise-webapp/src/main/webapp/jsp/reactInclude.jsp
@ -8,7 +8,6 @@
    <base href="${requestScope['site.baseurl']}/static/webapp/">
    <link rel="preconnect" href="https://fonts.gstatic.com" />
    <link href="https://fonts.googleapis.com/css2?family=Montserrat:wght@100;200;300;400;600&display=swap" rel="stylesheet" />
-
    <%@ include file="/jsp/pageHeaders.jsf" %>

    <title>Loading | WiseMapping</title>