From ea4fbe920cf034da92c4860f4f4b36a55a2bff4e Mon Sep 17 00:00:00 2001 From: Micah Silverman Date: Thu, 14 Jul 2016 02:00:04 -0400 Subject: [PATCH] updated ignoringAntMatchers for csrf --- .../jjwtfun/config/WebSecurityConfig.java | 26 ++++++++++++++----- .../jjwtfun/controller/SecretsController.java | 2 +- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java index ad51cdafdc..94e2c6ddc5 100644 --- a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java +++ b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java @@ -18,6 +18,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; +import java.util.Arrays; @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @@ -28,16 +29,21 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired SecretService secretService; + // ordered so we can use binary search below + private String[] ignoreCsrfAntMatchers = { + "/dynamic-builder-compress", + "/dynamic-builder-general", + "/dynamic-builder-specific", + "/set-secrets" + }; + @Override protected void configure(HttpSecurity http) throws Exception { http .addFilterAfter(new JwtCsrfValidatorFilter(), CsrfFilter.class) .csrf() .csrfTokenRepository(jwtCsrfTokenRepository) - .ignoringAntMatchers("/dynamic-builder-general") - .ignoringAntMatchers("/dynamic-builder-specific") - .ignoringAntMatchers("/dynamic-builder-compress") - .ignoringAntMatchers("/set-secrets") + .ignoringAntMatchers(ignoreCsrfAntMatchers) .and().authorizeRequests() .antMatchers("/**") .permitAll(); @@ -51,9 +57,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); - // CsrfFilter already made sure the token matched. - // Here, we'll make sure it's not expired - if ("POST".equals(request.getMethod()) && token != null) { + if ( + // only care if it's a POST + "POST".equals(request.getMethod()) && + // ignore if the request path is in our list + Arrays.binarySearch(ignoreCsrfAntMatchers, request.getServletPath()) < 0 && + // make sure we have a token + token != null + ) { + // CsrfFilter already made sure the token matched. Here, we'll make sure it's not expired try { Jwts.parser() .setSigningKeyResolver(secretService.getSigningKeyResolver()) diff --git a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/SecretsController.java b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/SecretsController.java index c962e009d7..1ca0973c33 100644 --- a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/SecretsController.java +++ b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/SecretsController.java @@ -12,7 +12,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET; import static org.springframework.web.bind.annotation.RequestMethod.POST; @RestController -public class SecretsController { +public class SecretsController extends BaseController { @Autowired SecretService secretService;