Skip to content

Commit 04b1f8a

Browse files
committed
Do not save session on 404, secure account endpoints
1 parent ae00984 commit 04b1f8a

2 files changed

Lines changed: 3 additions & 1 deletion

File tree

orcid-web/src/main/java/org/orcid/frontend/spring/session/redis/OrcidRedisIndexedSessionRepository.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ public class OrcidRedisIndexedSessionRepository implements FindByIndexNameSessio
6969
"/orgs/disambiguated/ROR", "/peer-reviews/peer-review.json", "/peer-reviews/peer-reviews-by-group-id.json", "/peer-reviews/peer-reviews-minimized.json", "/qr-code.png", "/register.json",
7070
"/research-resources/researchResource.json", "/research-resources/researchResourcePage.json", "/userInfo.json", "/works/getWorkInfo.json", "/works/groupingSuggestions.json", "/works/idTypes.json", "/works/work.json",
7171
"/works/worksExtendedPage.json", "/404");
72-
private final List<String> urisToSkipAlways = List.of("/oauth/custom/register/validatePassword.json");
72+
private final List<String> urisToSkipAlways = List.of("/oauth/custom/register/validatePassword.json", "/404");
7373
private final Set<String> GET_SKIP_SAVE_SESSION = new HashSet<>(urisToSkipOnGet);
7474
private final Set<String> ALWAYS_SKIP_SAVE_SESSION = new HashSet<>(urisToSkipAlways);
7575

orcid-web/src/main/resources/orcid-frontend-security.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -410,6 +410,8 @@
410410
access="ROLE_USER"/>
411411
<sec:intercept-url pattern="/get-my-data"
412412
access="ROLE_USER"/>
413+
<sec:intercept-url pattern="/account/.*"
414+
access="ROLE_USER"/>
413415
<sec:intercept-url pattern="/verify-email/[a-zA-Z0-9_-]+(\?lang=[a-zA-Z]*)?"
414416
access="IS_AUTHENTICATED_ANONYMOUSLY" />
415417
<sec:intercept-url pattern="/userInfo.json(\?.*)?"

0 commit comments

Comments
 (0)