Skip to content

Commit 4f58fa8

Browse files
committed
fixed csrf issues!
1 parent 627fe77 commit 4f58fa8

6 files changed

Lines changed: 45 additions & 6 deletions

File tree

build.gradle

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ tasks.named('bootRun') {
7171
'-Dcom.sun.management.jmxremote.ssl=false',
7272
'-Dcom.sun.management.jmxremote.authenticate=false',
7373
'-Dcom.sun.management.jmxremote.rmi.port=9010',
74-
'-Dspring.profiles.active=prod'
74+
'-Dspring.profiles.active=local'
7575
]
7676
}
7777

src/main/java/com/generic/server/config/HttpConfig.java

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,17 +2,29 @@
22

33
import org.springframework.context.annotation.Bean;
44
import org.springframework.context.annotation.Configuration;
5+
import org.springframework.http.HttpMethod;
56
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
67
import org.springframework.security.web.SecurityFilterChain;
78
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
9+
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
10+
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
11+
12+
import static com.generic.server.constants.Constants.*;
813

914
@Configuration
1015
public class HttpConfig {
1116

1217
@Bean
1318
public SecurityFilterChain localLoginAndRedirectFilterChain(HttpSecurity http) throws Exception {
14-
http.csrf(csrf -> csrf.disable());
19+
20+
http.csrf(csrf -> csrf
21+
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
22+
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
23+
.ignoringRequestMatchers(ACTUATOR_CSRF_EXCLUDED_PATHS)
24+
);
1525
http.authorizeHttpRequests(authorize -> authorize
26+
.requestMatchers(HttpMethod.GET, SWAGGER_PATHS).authenticated()
27+
.requestMatchers("/actuator/**").hasAnyRole("ACTUATOR", "ADMIN")
1628
.anyRequest().authenticated()
1729
);
1830
SavedRequestAwareAuthenticationSuccessHandler handler =
@@ -36,7 +48,7 @@ public void sendRedirect(
3648
jakarta.servlet.http.HttpServletResponse response,
3749
String url
3850
) throws java.io.IOException {
39-
String cleanedUrl = url.replace("?continue", "");
51+
String cleanedUrl = url.replace("?continue", "").replace("&continue", "");
4052
delegate.sendRedirect(request, response, cleanedUrl);
4153
}
4254
}
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
package com.generic.server.constants;
2+
3+
public class Constants {
4+
5+
public static final String[] SWAGGER_PATHS = {
6+
"/swagger-ui/**",
7+
"/v3/api-docs/**"
8+
};
9+
10+
public static final String[] ACTUATOR_CSRF_EXCLUDED_PATHS = {
11+
"/actuator/hawtio/**",
12+
"/actuator/jolokia/**",
13+
"/actuator/shutdown"
14+
};
15+
16+
}

src/main/resources/application-local.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,18 @@ management:
22
endpoints:
33
web:
44
exposure:
5-
include: "health,info,hawtio,jolokia,prometheus"
5+
include: "*"
66
health:
77
show-details: when_authorized
88

99
hawtio:
1010
authenticationEnabled: false
1111

1212
spring:
13+
servlet:
14+
session:
15+
cookie:
16+
same-site: strict
1317
security:
1418
user:
1519
name: "devuser"

src/main/resources/application-prod.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,23 @@ management:
22
endpoints:
33
web:
44
exposure:
5-
include: "health,info,hawtio,jolokia,prometheus"
5+
include: "health,info,hawtio,prometheus"
66
health:
77
show-details: when_authorized
8+
endpoint:
9+
shutdown:
10+
enabled: false
811

912
hawtio:
1013
authenticationEnabled: true
1114

1215
spring:
1316
devtools:
1417
add-properties: false
18+
servlet:
19+
session:
20+
cookie:
21+
same-site: strict
1522

1623
logging:
1724
level:

src/test/java/com/generic/server/config/HttpConfigTest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ void sendRedirect_withContinue_removesIt() throws IOException {
1717
strategy.delegate = delegate;
1818
var request = mock(jakarta.servlet.http.HttpServletRequest.class);
1919
var response = mock(jakarta.servlet.http.HttpServletResponse.class);
20-
var url = "http://localhost:8080/some/path?continue";
20+
var url = "http://localhost:8080/some/path?continue&continue";
2121

2222
// Act
2323
strategy.sendRedirect(request, response, url);

0 commit comments

Comments
 (0)