mirror of
https://bitbucket.org/wisemapping/wisemapping-open-source.git
synced 2024-12-22 19:33:48 +01:00
Add CSRD to get operations
This commit is contained in:
parent
9966412705
commit
f2c15d100d
@ -0,0 +1,27 @@
|
||||
package com.wisemapping.security;
|
||||
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.util.Arrays;
|
||||
|
||||
public class CSFRRequestMatcher implements RequestMatcher {
|
||||
|
||||
private String prefix;
|
||||
static String[] supportedMethods = {"POST", "PUT", "GET", "DELETE", "PATCH"};
|
||||
|
||||
@Override
|
||||
public boolean matches(HttpServletRequest request) {
|
||||
final String requestURI = request.getRequestURI();
|
||||
return Arrays.stream(supportedMethods).anyMatch(p -> request.getMethod().toUpperCase().equals(p))
|
||||
&& requestURI.startsWith(prefix);
|
||||
}
|
||||
|
||||
public String getPrefix() {
|
||||
return prefix;
|
||||
}
|
||||
|
||||
public void setPrefix(String prefix) {
|
||||
this.prefix = prefix;
|
||||
}
|
||||
}
|
@ -42,7 +42,7 @@
|
||||
<sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>
|
||||
<sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>
|
||||
|
||||
|
||||
|
||||
<sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>
|
||||
<sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>
|
||||
|
||||
@ -62,8 +62,6 @@
|
||||
<sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>
|
||||
|
||||
<sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/>
|
||||
|
||||
<sec:csrf/>
|
||||
<sec:access-denied-handler error-page="/c/login"/>
|
||||
<sec:form-login login-page="/c/login"
|
||||
authentication-success-handler-ref="authenticationSuccessHandler"
|
||||
@ -74,12 +72,13 @@
|
||||
<!-- Expire in 28 days -->
|
||||
<sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
|
||||
<sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>
|
||||
<sec:csrf token-repository-ref="tokenRepository"/>
|
||||
<sec:csrf request-matcher-ref="requestMatcher"/>
|
||||
</sec:http>
|
||||
|
||||
<bean id="tokenRepository"
|
||||
class="org.springframework.security.web.csrf.CookieCsrfTokenRepository">
|
||||
<property name="cookieHttpOnly" value="true"/>
|
||||
<!-- Extends CFSR check to get methods to have consistency in all errors. Otherwise, request is forward in some cases -->
|
||||
<bean id="requestMatcher"
|
||||
class="com.wisemapping.security.CSFRRequestMatcher">
|
||||
<property name="prefix" value="/c/restful/"/>
|
||||
</bean>
|
||||
|
||||
<import resource="wisemapping-security-${security.type}.xml"/>
|
||||
|
Loading…
Reference in New Issue
Block a user