vmario/wisemapping-open-source
1
0
Fork 0
mirror of https://bitbucket.org/wisemapping/wisemapping-open-source.git synced 2024-10-05 17:58:36 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add CSRD to get operations

Browse Source
This commit is contained in:
Paulo Gustavo Veiga 2022-02-19 15:57:57 -08:00
parent 9966412705
commit f2c15d100d
2 changed files with 33 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
wise-webapp/src/main/java/com/wisemapping/security/CSFRRequestMatcher.java Normal file
View File

@ -0,0 +1,27 @@
package com.wisemapping.security;
import org.springframework.security.web.util.matcher.RequestMatcher;
import javax.servlet.http.HttpServletRequest;
import java.util.Arrays;
public class CSFRRequestMatcher implements RequestMatcher {
private String prefix;
static String[] supportedMethods = {"POST", "PUT", "GET", "DELETE", "PATCH"};
@Override
public boolean matches(HttpServletRequest request) {
final String requestURI = request.getRequestURI();
return Arrays.stream(supportedMethods).anyMatch(p -> request.getMethod().toUpperCase().equals(p))
&& requestURI.startsWith(prefix);
}
public String getPrefix() {
return prefix;
}
public void setPrefix(String prefix) {
this.prefix = prefix;
}
}

13
wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml
View File

@ -42,7 +42,7 @@
<sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/> <sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>
<sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/> <sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>
<sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/> <sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>
<sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/> <sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>
@ -62,8 +62,6 @@
<sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/> <sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>
<sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/> <sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/>
<sec:csrf/>
<sec:access-denied-handler error-page="/c/login"/> <sec:access-denied-handler error-page="/c/login"/>
<sec:form-login login-page="/c/login" <sec:form-login login-page="/c/login"
authentication-success-handler-ref="authenticationSuccessHandler" authentication-success-handler-ref="authenticationSuccessHandler"
@ -74,12 +72,13 @@
<!-- Expire in 28 days --> <!-- Expire in 28 days -->
<sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/> <sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
<sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/> <sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>
<sec:csrf token-repository-ref="tokenRepository"/> <sec:csrf request-matcher-ref="requestMatcher"/>
</sec:http> </sec:http>
<bean id="tokenRepository" <!-- Extends CFSR check to get methods to have consistency in all errors. Otherwise, request is forward in some cases -->
class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"> <bean id="requestMatcher"
<property name="cookieHttpOnly" value="true"/> class="com.wisemapping.security.CSFRRequestMatcher">
<property name="prefix" value="/c/restful/"/>
</bean> </bean>
<import resource="wisemapping-security-${security.type}.xml"/> <import resource="wisemapping-security-${security.type}.xml"/>