Require csrf token only on login and oauth/authorize page

Closes #13 Active CSRF only for oauth login page
FAForever · May 23, 2017 · f6d6d6e · f6d6d6e
1 parent a8e0992
commit f6d6d6e
Showing 1 changed file with 23 additions and 6 deletions.
diff --git a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java
@@ -12,11 +12,16 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
 
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;
 
 @Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@@ -27,15 +32,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
   @Profile("dev")
   public void developUserDetails(AuthenticationManagerBuilder auth) throws Exception {
     auth.inMemoryAuthentication()
-        .withUser("user").password("user").roles("USER")
-        .and().withUser("admin").password("admin").roles("USER", "ADMIN");
+      .withUser("user").password("user").roles("USER")
+      .and().withUser("admin").password("admin").roles("USER", "ADMIN");
   }
 
   @Inject
   public void prodUserDetails(AuthenticationManagerBuilder auth, UserDetailsService userDetailsService) throws Exception {
     auth
-        .userDetailsService(userDetailsService)
-        .passwordEncoder(new ShaPasswordEncoder(256));
+      .userDetailsService(userDetailsService)
+      .passwordEncoder(new ShaPasswordEncoder(256));
   }
 
   @Bean
@@ -48,7 +53,19 @@ public AuthenticationManager authenticationManagerBean() throws Exception {
   protected void configure(HttpSecurity http) throws Exception {
     // @formatter:off
       http
-      .headers()
+      .csrf()
+        .requireCsrfProtectionMatcher(new RequestMatcher() {
+          private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
+          private RequestMatcher matcher = new OrRequestMatcher(
+            new AntPathRequestMatcher("/oauth/authorize"),
+            new AntPathRequestMatcher("/login"));
+
+          @Override
+          public boolean matches(HttpServletRequest request) {
+              return matcher.matches(request) && !allowedMethods.matcher(request.getMethod()).matches();
+          }
+      })
+      .and().headers()
       .cacheControl().disable()
       .and().formLogin().loginPage("/login").permitAll()
       .and().authorizeRequests()
@@ -68,7 +85,7 @@ public WebMvcConfigurer corsConfigurer() {
       @Override
       public void addCorsMappings(CorsRegistry registry) {
         registry.addMapping("/**")
-            .allowedMethods("*");
+          .allowedMethods("*");
       }
     };
   }