From f6d6d6e8e7ffb9195d95d10328a0607e2411fcf7 Mon Sep 17 00:00:00 2001 From: kubo Date: Mon, 22 May 2017 00:18:10 +0200 Subject: [PATCH] Require csrf token only on login and oauth/authorize page Closes #13 Active CSRF only for oauth login page --- .../config/security/WebSecurityConfig.java | 29 +++++++++++++++---- 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java index d66ca0aaa..e22b760c1 100644 --- a/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java +++ b/src/main/java/com/faforever/api/config/security/WebSecurityConfig.java @@ -12,11 +12,16 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.web.util.matcher.OrRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.web.servlet.config.annotation.CorsRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; +import java.util.regex.Pattern; @Configuration @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) @@ -27,15 +32,15 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Profile("dev") public void developUserDetails(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication() - .withUser("user").password("user").roles("USER") - .and().withUser("admin").password("admin").roles("USER", "ADMIN"); + .withUser("user").password("user").roles("USER") + .and().withUser("admin").password("admin").roles("USER", "ADMIN"); } @Inject public void prodUserDetails(AuthenticationManagerBuilder auth, UserDetailsService userDetailsService) throws Exception { auth - .userDetailsService(userDetailsService) - .passwordEncoder(new ShaPasswordEncoder(256)); + .userDetailsService(userDetailsService) + .passwordEncoder(new ShaPasswordEncoder(256)); } @Bean @@ -48,7 +53,19 @@ public AuthenticationManager authenticationManagerBean() throws Exception { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .headers() + .csrf() + .requireCsrfProtectionMatcher(new RequestMatcher() { + private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$"); + private RequestMatcher matcher = new OrRequestMatcher( + new AntPathRequestMatcher("/oauth/authorize"), + new AntPathRequestMatcher("/login")); + + @Override + public boolean matches(HttpServletRequest request) { + return matcher.matches(request) && !allowedMethods.matcher(request.getMethod()).matches(); + } + }) + .and().headers() .cacheControl().disable() .and().formLogin().loginPage("/login").permitAll() .and().authorizeRequests() @@ -68,7 +85,7 @@ public WebMvcConfigurer corsConfigurer() { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") - .allowedMethods("*"); + .allowedMethods("*"); } }; }