updated ignoringAntMatchers for csrf
This commit is contained in:
Micah Silverman
parent
4a4c4f3c7c
commit
ea4fbe920c
|
|
@ -18,6 +18,7 @@ import javax.servlet.ServletException;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletResponse;
|
import javax.servlet.http.HttpServletResponse;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.util.Arrays;
|
||||||
|
|
||||||
@Configuration
|
@Configuration
|
||||||
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
@ -28,16 +29,21 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
@Autowired
|
@Autowired
|
||||||
SecretService secretService;
|
SecretService secretService;
|
||||||
|
|
||||||
|
// ordered so we can use binary search below
|
||||||
|
private String[] ignoreCsrfAntMatchers = {
|
||||||
|
"/dynamic-builder-compress",
|
||||||
|
"/dynamic-builder-general",
|
||||||
|
"/dynamic-builder-specific",
|
||||||
|
"/set-secrets"
|
||||||
|
};
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
protected void configure(HttpSecurity http) throws Exception {
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
http
|
http
|
||||||
.addFilterAfter(new JwtCsrfValidatorFilter(), CsrfFilter.class)
|
.addFilterAfter(new JwtCsrfValidatorFilter(), CsrfFilter.class)
|
||||||
.csrf()
|
.csrf()
|
||||||
.csrfTokenRepository(jwtCsrfTokenRepository)
|
.csrfTokenRepository(jwtCsrfTokenRepository)
|
||||||
.ignoringAntMatchers("/dynamic-builder-general")
|
.ignoringAntMatchers(ignoreCsrfAntMatchers)
|
||||||
.ignoringAntMatchers("/dynamic-builder-specific")
|
|
||||||
.ignoringAntMatchers("/dynamic-builder-compress")
|
|
||||||
.ignoringAntMatchers("/set-secrets")
|
|
||||||
.and().authorizeRequests()
|
.and().authorizeRequests()
|
||||||
.antMatchers("/**")
|
.antMatchers("/**")
|
||||||
.permitAll();
|
.permitAll();
|
||||||
|
|
@ -51,9 +57,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
|
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
|
||||||
|
|
||||||
// CsrfFilter already made sure the token matched.
|
if (
|
||||||
// Here, we'll make sure it's not expired
|
// only care if it's a POST
|
||||||
if ("POST".equals(request.getMethod()) && token != null) {
|
"POST".equals(request.getMethod()) &&
|
||||||
|
// ignore if the request path is in our list
|
||||||
|
Arrays.binarySearch(ignoreCsrfAntMatchers, request.getServletPath()) < 0 &&
|
||||||
|
// make sure we have a token
|
||||||
|
token != null
|
||||||
|
) {
|
||||||
|
// CsrfFilter already made sure the token matched. Here, we'll make sure it's not expired
|
||||||
try {
|
try {
|
||||||
Jwts.parser()
|
Jwts.parser()
|
||||||
.setSigningKeyResolver(secretService.getSigningKeyResolver())
|
.setSigningKeyResolver(secretService.getSigningKeyResolver())
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ import static org.springframework.web.bind.annotation.RequestMethod.GET;
|
||||||
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
import static org.springframework.web.bind.annotation.RequestMethod.POST;
|
||||||
|
|
||||||
@RestController
|
@RestController
|
||||||
public class SecretsController {
|
public class SecretsController extends BaseController {
|
||||||
|
|
||||||
@Autowired
|
@Autowired
|
||||||
SecretService secretService;
|
SecretService secretService;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue