22
33import org .springframework .context .annotation .Bean ;
44import org .springframework .context .annotation .Configuration ;
5+ import org .springframework .http .HttpMethod ;
56import org .springframework .security .config .annotation .web .builders .HttpSecurity ;
67import org .springframework .security .web .SecurityFilterChain ;
78import org .springframework .security .web .authentication .SavedRequestAwareAuthenticationSuccessHandler ;
9+ import org .springframework .security .web .csrf .CookieCsrfTokenRepository ;
10+ import org .springframework .security .web .csrf .CsrfTokenRequestAttributeHandler ;
11+
12+ import static com .generic .server .constants .Constants .*;
813
914@ Configuration
1015public class HttpConfig {
1116
1217 @ Bean
1318 public SecurityFilterChain localLoginAndRedirectFilterChain (HttpSecurity http ) throws Exception {
14- http .csrf (csrf -> csrf .disable ());
19+
20+ http .csrf (csrf -> csrf
21+ .csrfTokenRepository (CookieCsrfTokenRepository .withHttpOnlyFalse ())
22+ .csrfTokenRequestHandler (new CsrfTokenRequestAttributeHandler ())
23+ .ignoringRequestMatchers (ACTUATOR_CSRF_EXCLUDED_PATHS )
24+ );
1525 http .authorizeHttpRequests (authorize -> authorize
26+ .requestMatchers (HttpMethod .GET , SWAGGER_PATHS ).authenticated ()
27+ .requestMatchers ("/actuator/**" ).hasAnyRole ("ACTUATOR" , "ADMIN" )
1628 .anyRequest ().authenticated ()
1729 );
1830 SavedRequestAwareAuthenticationSuccessHandler handler =
@@ -36,7 +48,7 @@ public void sendRedirect(
3648 jakarta .servlet .http .HttpServletResponse response ,
3749 String url
3850 ) throws java .io .IOException {
39- String cleanedUrl = url .replace ("?continue" , "" );
51+ String cleanedUrl = url .replace ("?continue" , "" ). replace ( "&continue" , "" ) ;
4052 delegate .sendRedirect (request , response , cleanedUrl );
4153 }
4254 }
0 commit comments