Commit ee34e4cb authored by Aleksandr Ivanov's avatar Aleksandr Ivanov

RIHAKB-414 csrf support implemented

parent fdadfbfe
......@@ -38,6 +38,8 @@ import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.web.util.UriUtils;
import javax.servlet.Filter;
......@@ -104,7 +106,7 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable() // needed for JWT verification
.csrf().csrfTokenRepository(csrfTokenRepository()).and()
.cors().disable()
.authorizeRequests()
......@@ -154,6 +156,13 @@ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
.addObjectPostProcessor(new CustomPostProcessor());
}
private CsrfTokenRepository csrfTokenRepository() {
CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
cookieCsrfTokenRepository.setCookieHttpOnly(false);
cookieCsrfTokenRepository.setCookiePath("/");
return cookieCsrfTokenRepository;
}
protected AuthenticationSuccessHandler successHandler() {
return (request, response, authentication) -> {
log.info("Kasutaja {} ID koodiga {} logis sisse kasutades amr: {} ",
......
......@@ -9,6 +9,8 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@Configuration
......@@ -27,7 +29,7 @@ public class WebSecurityDevConfiguration extends WebSecurityConfiguration {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.csrf().csrfTokenRepository(csrfTokenRepository()).and()
.cors().disable()
.authorizeRequests()
.anyRequest()
......@@ -43,4 +45,11 @@ public class WebSecurityDevConfiguration extends WebSecurityConfiguration {
.loginPage("/oauth2/authorization/tara")
.loginProcessingUrl("/oauth2/authorization/tara");
}
private CsrfTokenRepository csrfTokenRepository() {
CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
cookieCsrfTokenRepository.setCookieHttpOnly(false);
cookieCsrfTokenRepository.setCookiePath("/");
return cookieCsrfTokenRepository;
}
}
......@@ -10,7 +10,7 @@ import {BrowserAnimationsModule} from '@angular/platform-browser/animations';
import {ToastrModule} from 'ngx-toastr';
import {CustomFormsModule} from 'ng2-validation';
import {UiSwitchModule} from 'ngx-ui-switch';
import {HttpClient, HttpClientModule} from '@angular/common/http';
import {HttpClient, HttpClientModule, HttpClientXsrfModule} from '@angular/common/http';
import missingTranslationHandler from './app.missingTranslation';
......@@ -195,6 +195,7 @@ const routes: Routes = [
deps: [HttpClient]
}
}),
HttpClientXsrfModule.withOptions({cookieName: 'XSRF-TOKEN'}),
NgbModule
],
entryComponents: [
......
import {HTTP_INTERCEPTORS} from '@angular/common/http';
import {SessionInterceptor} from './session-interceptor';
import {HttpXsrfInterceptor} from './xcsrf-interceptor';
/** Http interceptor providers in outside-in order */
export const httpInterceptorProviders = [
{provide: HTTP_INTERCEPTORS, useClass: HttpXsrfInterceptor, multi: true},
{provide: HTTP_INTERCEPTORS, useClass: SessionInterceptor, multi: true},
];
import {HttpEvent, HttpHandler, HttpInterceptor, HttpRequest, HttpXsrfTokenExtractor} from '@angular/common/http';
import {Injectable} from '@angular/core';
import {Observable} from 'rxjs';
@Injectable()
export class HttpXsrfInterceptor implements HttpInterceptor {
constructor(private tokenExtractor: HttpXsrfTokenExtractor) {
}
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
const headerName = 'X-XSRF-TOKEN';
let token = this.tokenExtractor.getToken() as string;
if (token !== null && !req.headers.has(headerName)) {
req = req.clone({ headers: req.headers.set(headerName, token) });
}
return next.handle(req);
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment