Add CSRD to get operations

This commit is contained in:
Paulo Gustavo Veiga 2022-02-19 15:57:57 -08:00
parent 9966412705
commit f2c15d100d
2 changed files with 33 additions and 7 deletions

View File

@ -0,0 +1,27 @@
package com.wisemapping.security;
import org.springframework.security.web.util.matcher.RequestMatcher;
import javax.servlet.http.HttpServletRequest;
import java.util.Arrays;
public class CSFRRequestMatcher implements RequestMatcher {
private String prefix;
static String[] supportedMethods = {"POST", "PUT", "GET", "DELETE", "PATCH"};
@Override
public boolean matches(HttpServletRequest request) {
final String requestURI = request.getRequestURI();
return Arrays.stream(supportedMethods).anyMatch(p -> request.getMethod().toUpperCase().equals(p))
&& requestURI.startsWith(prefix);
}
public String getPrefix() {
return prefix;
}
public void setPrefix(String prefix) {
this.prefix = prefix;
}
}

View File

@ -42,7 +42,7 @@
<sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>
<sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>
<sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>
<sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>
@ -62,8 +62,6 @@
<sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>
<sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/>
<sec:csrf/>
<sec:access-denied-handler error-page="/c/login"/>
<sec:form-login login-page="/c/login"
authentication-success-handler-ref="authenticationSuccessHandler"
@ -74,12 +72,13 @@
<!-- Expire in 28 days -->
<sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
<sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>
<sec:csrf token-repository-ref="tokenRepository"/>
<sec:csrf request-matcher-ref="requestMatcher"/>
</sec:http>
<bean id="tokenRepository"
class="org.springframework.security.web.csrf.CookieCsrfTokenRepository">
<property name="cookieHttpOnly" value="true"/>
<!-- Extends CFSR check to get methods to have consistency in all errors. Otherwise, request is forward in some cases -->
<bean id="requestMatcher"
class="com.wisemapping.security.CSFRRequestMatcher">
<property name="prefix" value="/c/restful/"/>
</bean>
<import resource="wisemapping-security-${security.type}.xml"/>