Commit 7f268604 authored by Kristjan Kruus's avatar Kristjan Kruus

Merge pull request #28 in RIHA/riha-browser from...

Merge pull request #28 in RIHA/riha-browser from feature/RIHAKB-429-riha-haldurina-soovin-et-riha-rakenduses-oleks-rakendatud-csp to develop

* commit '8fda5441':
  RIHAKB-429 fixed
parents f87ec85f 8fda5441
......@@ -7,7 +7,9 @@ import ee.ria.riha.authentication.RihaUserDetails;
import ee.ria.riha.conf.ApplicationProperties.LdapAuthenticationProperties;
import ee.ria.riha.conf.ApplicationProperties.LdapProperties;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
......@@ -73,6 +75,9 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
protected ApplicationProperties applicationProperties;
@Value("${csp.policyDirective}")
private String policyDirective;
@Bean
public LdapUserDetailsService ldapUserDetailsService(ApplicationProperties applicationProperties,
LdapContextSource contextSource) {
......@@ -103,6 +108,12 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
if (StringUtils.isNotBlank(policyDirective)) {
http.headers()
.contentSecurityPolicy(policyDirective);
}
http
.csrf().disable() // needed for JWT verification
.cors().disable()
......
package ee.ria.riha.conf;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
......@@ -14,6 +16,11 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
@Profile("dev")
public class WebSecurityDevConfiguration extends WebSecurityConfiguration {
@Value("${csp.policyDirective}")
private String policyDirective;
@Bean
protected UsernamePasswordAuthenticationFilter authenticationFilter(DeveloperAuthenticationManager authenticationManager) {
UsernamePasswordAuthenticationFilter authenticationFilter = new UsernamePasswordAuthenticationFilter();
......@@ -26,6 +33,12 @@ public class WebSecurityDevConfiguration extends WebSecurityConfiguration {
@Override
protected void configure(HttpSecurity http) throws Exception {
if (StringUtils.isNotBlank(policyDirective)) {
http.headers()
.contentSecurityPolicy(policyDirective);
}
http
.csrf().disable()
.cors().disable()
......
......@@ -12,3 +12,7 @@ browser.developerUser.organizations[1].roles=ROLE_KIRJELDAJA,ROLE_TESTIJA,ROLE_R
## TARA properties
## Not used, to keep Spring security happy only
browser.tara.jwkKeySetUri=https://tara-local.ria.ee/oidc/jwks
#CSP configuration
csp.policyDirective=
\ No newline at end of file
......@@ -128,4 +128,8 @@ browser.tara.jwkKeySetUri=
#logging.level.root = DEBUG
#CSP configuration
csp.policyDirective=default-src 'self'; font-src 'self' data: fonts.googleapis.com fonts.gstatic.com 'unsafe-inline'; img-src 'self' data: ; script-src 'self' *.plumbr.io; script-src-elem 'self' *.plumbr.io; connect-src 'self' browser.plumbr.io plumbr.ria.ee; style-src 'self' data: fonts.gstatic.com 'unsafe-inline'; style-src-elem 'self' data: fonts.googleapis.com fonts.gstatic.com 'unsafe-inline';
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment