diff --git a/src/main/java/com/digitalsanctuary/spring/user/util/WebSecurityConfig.java b/src/main/java/com/digitalsanctuary/spring/user/util/WebSecurityConfig.java index 788ef03..a70936d 100644 --- a/src/main/java/com/digitalsanctuary/spring/user/util/WebSecurityConfig.java +++ b/src/main/java/com/digitalsanctuary/spring/user/util/WebSecurityConfig.java @@ -49,6 +49,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Value("#{'${user.security.unprotectedURIs}'.split(',')}") private String[] unprotectedURIsArray; + @Value("#{'${user.security.disableCSRFdURIs}'.split(',')}") + private String[] disableCSRFURIsArray; + @Value("${user.security.loginPageURI}") private String loginPageURI; @@ -122,22 +125,33 @@ protected void configure(HttpSecurity http) throws Exception { unprotectedURIs.add(forgotPasswordURI); unprotectedURIs.add(forgotPasswordPendingURI); unprotectedURIs.add(forgotPasswordChangeURI); - unprotectedURIs.toArray(new String[0]); + unprotectedURIs.removeAll(Arrays.asList("", null)); logger.debug("WebSecurityConfig.configure:" + "enhanced unprotectedURIs: {}", unprotectedURIs.toString()); + ArrayList disableCSRFURIs = new ArrayList(); + disableCSRFURIs.addAll(Arrays.asList(disableCSRFURIsArray)); + disableCSRFURIs.removeAll(Arrays.asList("", null)); + if (DEFAULT_ACTION_DENY.equals(getDefaultAction())) { http.authorizeRequests().antMatchers(unprotectedURIs.toArray(new String[0])).permitAll().anyRequest() .authenticated().and().formLogin().loginPage(loginPageURI).loginProcessingUrl(loginActionURI) .successHandler(loginSuccessService).permitAll().and().logout().logoutUrl(logoutActionURI) .invalidateHttpSession(true).logoutSuccessHandler(logoutSuccessService).deleteCookies("JSESSIONID") .permitAll(); + if (disableCSRFURIs != null && disableCSRFURIs.size() > 0) { + http.csrf().ignoringAntMatchers(disableCSRFURIs.toArray(new String[0])); + } } else if (DEFAULT_ACTION_ALLOW.equals(getDefaultAction())) { http.authorizeRequests().antMatchers(protectedURIsArray).authenticated().antMatchers("/**").permitAll() .and().formLogin().loginPage(loginPageURI).loginProcessingUrl(loginActionURI) .successHandler(loginSuccessService).successHandler(loginSuccessService).and().logout() .logoutUrl(logoutActionURI).invalidateHttpSession(true).logoutSuccessHandler(logoutSuccessService) .deleteCookies("JSESSIONID").permitAll(); + + if (disableCSRFURIs != null && disableCSRFURIs.size() > 0) { + http.csrf().ignoringAntMatchers(disableCSRFURIs.toArray(new String[0])); + } } else { logger.error("WebSecurityConfig.configure:" + "user.security.defaultAction must be set to either {} or {}!!! Denying access to all resources to force intentional configuration.", diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index a4c05f3..4d3ad48 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -35,6 +35,9 @@ user.security.protectedURIs=/protected.html // Used if default is deny user.security.unprotectedURIs=/,/index.html,/favicon.ico,/css/*,/js/*,/img/*,/user/registration,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword +// URIs to disable CSRF checks. This might include API endpoints used by external clients. +user.security.disableCSRFdURIs=/no-csrf-test + // Centralizing the URIs of common pages to make changing paths easier. You can leave this section alone if you use the default page locations from this project. These URLs do NOT have to be included in the unprotectedURIs list above as they will automatically be handled. user.security.loginPageURI=/user/login.html