Fix embedded view issue.

2024-11-21 13:47:57 +01:00 · 2023-08-23 08:15:39 -07:00 · 2023-08-23 08:15:39 -07:00 · e85a670695
commit e85a670695
parent 28dc77c501
1 changed files with 23 additions and 4 deletions
--- a/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
+++ b/wise-webapp/src/main/java/com/wisemapping/config/SecurityConfig.java
@ -34,6 +34,22 @@ public class SecurityConfig {
        firewall.setAllowSemicolon(true);
        return firewall;
    }
+    @Bean
+    @Order(1)
+    public SecurityFilterChain embeddedDisabledXOrigin(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception {
+        final MvcRequestMatcher.Builder mvcMatcher = new MvcRequestMatcher.Builder(introspector).servletPath("/c");
+        http
+                .securityMatchers((matchers) ->
+                        matchers.requestMatchers(mvcMatcher.pattern(("/maps/*/embed"))))
+                .authorizeHttpRequests(
+                        (auth) -> auth.requestMatchers(mvcMatcher.pattern("/maps/*/embed")).permitAll())
+                .headers((header -> header.frameOptions()
+                        .disable()
+                ))
+                .csrf(AbstractHttpConfigurer::disable);
+
+        return http.build();
+    }

    @Bean
    @Order(2)
@ -59,7 +75,7 @@ public class SecurityConfig {
    }

    @Bean
-    @Order(1)
+    @Order(3)
    public SecurityFilterChain mvcFilterChain(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception {
        final AuthenticationSuccessHandler authenticationSuccessHandler = new AuthenticationSuccessHandler();
        authenticationSuccessHandler.setAlwaysUseDefaultTargetUrl(false);
@ -84,7 +100,6 @@ public class SecurityConfig {

                                        .requestMatchers(mvcMatcher.pattern("/forgot-password")).permitAll()
                                        .requestMatchers(mvcMatcher.pattern("/forgot-password-success")).permitAll()
-                                        .requestMatchers(mvcMatcher.pattern("/maps/*/embed")).permitAll()
                                        .requestMatchers(mvcMatcher.pattern("/maps/*/try")).permitAll()
                                        .requestMatchers(mvcMatcher.pattern("/maps/*/public")).permitAll()
                                        .requestMatchers(restfullMapper.pattern("/maps/*/document/xml-pub")).permitAll()
@ -108,7 +123,9 @@ public class SecurityConfig {
                                .tokenValiditySeconds(2419200)
                                .rememberMeParameter("remember-me"
                                ).authenticationSuccessHandler(authenticationSuccessHandler)
-                )
+                ).headers((header -> header.frameOptions()
+                        .disable()
+                ))
                .csrf((csrf) ->
                        csrf.ignoringRequestMatchers(mvcMatcher.pattern("/logout")));

@ -116,7 +133,7 @@ public class SecurityConfig {
    }

    @Bean
-    @Order(3)
+    @Order(4)
    public SecurityFilterChain shareResourcesFilterChain(@NotNull final HttpSecurity http, @NotNull final HandlerMappingIntrospector introspector) throws Exception {
        final MvcRequestMatcher.Builder restfullMapper = new MvcRequestMatcher.Builder(introspector);

@ -130,6 +147,8 @@ public class SecurityConfig {
        ).build();
    }

+
+
    @Bean
    public UserDetailsService userDetailsService() {
        final UserDetailsService result = new UserDetailsService();