Commit d69e3314 authored by Kristjan Kruus's avatar Kristjan Kruus

Merge pull request #29 in RIHA/riha-browser from...

Merge pull request #29 in RIHA/riha-browser from feature/RIHAKB-414-riha-haldurina-soovin-et-riha-rakendusel-oleks-csrf-kaitse to develop

* commit 'ee34e4cb':
  RIHAKB-414 csrf support implemented
parents 7f268604 ee34e4cb
......@@ -40,6 +40,8 @@ import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.web.util.UriUtils;
import javax.servlet.Filter;
......@@ -115,7 +117,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
}
http
.csrf().disable() // needed for JWT verification
.csrf().csrfTokenRepository(csrfTokenRepository()).and()
.cors().disable()
.authorizeRequests()
......@@ -165,6 +167,13 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
.addObjectPostProcessor(new CustomPostProcessor());
}
private CsrfTokenRepository csrfTokenRepository() {
CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
cookieCsrfTokenRepository.setCookieHttpOnly(false);
cookieCsrfTokenRepository.setCookiePath("/");
return cookieCsrfTokenRepository;
}
protected AuthenticationSuccessHandler successHandler() {
return (request, response, authentication) -> {
log.info("Kasutaja {} ID koodiga {} logis sisse kasutades amr: {} ",
......
......@@ -11,6 +11,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
......@@ -40,7 +42,7 @@ public class WebSecurityDevConfiguration extends WebSecurityConfiguration {
}
http
.csrf().disable()
.csrf().csrfTokenRepository(csrfTokenRepository()).and()
.cors().disable()
.authorizeRequests()
.anyRequest()
......@@ -56,4 +58,11 @@ public class WebSecurityDevConfiguration extends WebSecurityConfiguration {
.loginPage("/oauth2/authorization/tara")
.loginProcessingUrl("/oauth2/authorization/tara");
}
private CsrfTokenRepository csrfTokenRepository() {
CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
cookieCsrfTokenRepository.setCookieHttpOnly(false);
cookieCsrfTokenRepository.setCookiePath("/");
return cookieCsrfTokenRepository;
}
}
......@@ -10,7 +10,7 @@ import {BrowserAnimationsModule} from '@angular/platform-browser/animations';
import {ToastrModule} from 'ngx-toastr';
import {CustomFormsModule} from 'ng2-validation';
import {UiSwitchModule} from 'ngx-ui-switch';
import {HttpClient, HttpClientModule} from '@angular/common/http';
import {HttpClient, HttpClientModule, HttpClientXsrfModule} from '@angular/common/http';
import missingTranslationHandler from './app.missingTranslation';
......@@ -196,6 +196,7 @@ const routes: Routes = [
deps: [HttpClient]
}
}),
HttpClientXsrfModule.withOptions({cookieName: 'XSRF-TOKEN'}),
NgbModule
],
entryComponents: [
......
import {HTTP_INTERCEPTORS} from '@angular/common/http';
import {SessionInterceptor} from './session-interceptor';
import {HttpXsrfInterceptor} from './xcsrf-interceptor';
/** Http interceptor providers in outside-in order */
export const httpInterceptorProviders = [
{provide: HTTP_INTERCEPTORS, useClass: HttpXsrfInterceptor, multi: true},
{provide: HTTP_INTERCEPTORS, useClass: SessionInterceptor, multi: true},
];
import {HttpEvent, HttpHandler, HttpInterceptor, HttpRequest, HttpXsrfTokenExtractor} from '@angular/common/http';
import {Injectable} from '@angular/core';
import {Observable} from 'rxjs';
@Injectable()
export class HttpXsrfInterceptor implements HttpInterceptor {
constructor(private tokenExtractor: HttpXsrfTokenExtractor) {
}
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
const headerName = 'X-XSRF-TOKEN';
let token = this.tokenExtractor.getToken() as string;
if (token !== null && !req.headers.has(headerName)) {
req = req.clone({ headers: req.headers.set(headerName, token) });
}
return next.handle(req);
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment