11 ay önce · 49dd88aade
--- a/src/main/java/fr/triplea/demovote/security/SecurityConfig.java
+++ b/src/main/java/fr/triplea/demovote/security/SecurityConfig.java
@@ -17,10 +17,14 @@ import org.springframework.security.web.SecurityFilterChain;
 
				 import org.springframework.security.web.access.channel.ChannelProcessingFilter;
			
 
				 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
			
 
				 import org.springframework.security.web.context.SecurityContextRepository;
			
 
				+//import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
			
 
				+import org.springframework.security.web.header.HeaderWriterFilter;
			
 
				 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
			
 
				 import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
			
 
				 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
			
 
				 
			
 
				+import fr.triplea.demovote.security.cors.CorsFilter;
			
 
				+import fr.triplea.demovote.security.csrf.CsrfHeaderFilter;
			
 
				 import fr.triplea.demovote.security.jwt.JwtTokenFilter;
			
 
				 
			
 
				 import org.springframework.security.web.context.DelegatingSecurityContextRepository;
			
@@ -86,11 +90,15 @@ public class SecurityConfig
 
				  
			
 
				   Class<? extends ChannelProcessingFilter> cpf_clazz = ChannelProcessingFilter.class;
			
 
				 
			
 
				+  @Bean
			
 
				+  public CsrfHeaderFilter csrfHeaderFilter() { return new CsrfHeaderFilter(); }
			
 
				+  
			
 
				+  Class<? extends HeaderWriterFilter> csrfhf_clazz = HeaderWriterFilter.class;
			
 
				   
			
 
				   @Bean
			
 
				   SecurityFilterChain securityFilterChain(HttpSecurity http, SecurityContextRepository securityContextRepository) throws Exception 
			
 
				   {
			
 
				-    http.csrf(csrf -> csrf.disable())
			
 
				+    http.csrf(csrf -> csrf.disable())//csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
			
 
				         .requiresChannel(channel -> channel.anyRequest().requiresSecure())
			
 
				         .authenticationProvider(authenticationProvider())
			
 
				         .authorizeHttpRequests((ahreq) -> ahreq
			
@@ -102,6 +110,7 @@ public class SecurityConfig
 
				           )
			
 
				         .addFilterBefore(jwtTokenFilter(), upaf_clazz)
			
 
				         .addFilterBefore(corsFilter(), cpf_clazz)
			
 
				+        //.addFilterBefore(csrfHeaderFilter(), csrfhf_clazz)
			
 
				         .securityContext(sc -> sc.securityContextRepository(securityContextRepository).requireExplicitSave(true))
			
 
				         .headers(headers -> headers
			
 
				           .xssProtection(xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))
			
--- a/src/main/java/fr/triplea/demovote/security/cors/CorsFilter.java
+++ b/src/main/java/fr/triplea/demovote/security/cors/CorsFilter.java
@@ -1,4 +1,4 @@
 
				-package fr.triplea.demovote.security;
			
 
				+package fr.triplea.demovote.security.cors;
			
 
				 
			
 
				 import java.io.IOException;
			
 
				 
			
--- a/src/main/java/fr/triplea/demovote/security/csrf/CsrfHeaderFilter.java
+++ b/src/main/java/fr/triplea/demovote/security/csrf/CsrfHeaderFilter.java
@@ -0,0 +1,55 @@
 
				+package fr.triplea.demovote.security.csrf;
			
 
				+
			
 
				+import java.io.IOException;
			
 
				+
			
 
				+import org.slf4j.Logger;
			
 
				+import org.slf4j.LoggerFactory;
			
 
				+import org.springframework.security.web.csrf.CsrfToken;
			
 
				+import org.springframework.web.filter.OncePerRequestFilter;
			
 
				+import org.springframework.web.util.WebUtils;
			
 
				+
			
 
				+import jakarta.servlet.FilterChain;
			
 
				+import jakarta.servlet.ServletException;
			
 
				+import jakarta.servlet.http.Cookie;
			
 
				+import jakarta.servlet.http.HttpServletRequest;
			
 
				+import jakarta.servlet.http.HttpServletResponse;
			
 
				+
			
 
				+
			
 
				+public class CsrfHeaderFilter extends OncePerRequestFilter 
			
 
				+{
			
 
				+  
			
 
				+  private final Logger LOG = LoggerFactory.getLogger(CsrfHeaderFilter.class);
			
 
				+
			
 
				+  public CsrfHeaderFilter() { LOG.info("CsrfHeaderFilter init"); }
			
 
				+
			
 
				+  @Override
			
 
				+  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException 
			
 
				+  {
			
 
				+    CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());   
			
 
				+    
			
 
				+    if (csrf != null) 
			
 
				+    {
			
 
				+      Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
			
 
				+      LOG.info("cookie=" + cookie.toString());
			
 
				+
			
 
				+      String token = csrf.getToken();
			
 
				+      LOG.info("token=" + token);
			
 
				+      
			
 
				+      if ((cookie == null) || ((token != null) && !(token.equals(cookie.getValue())))) 
			
 
				+      {
			
 
				+        cookie = new Cookie("XSRF-TOKEN", token);
			
 
				+        cookie.setPath("/");
			
 
				+        
			
 
				+        response.addCookie(cookie);
			
 
				+        LOG.info("response=cookie added");
			
 
				+
			
 
				+      }
			
 
				+    }
			
 
				+      
			
 
				+    filterChain.doFilter(request, response);
			
 
				+  }
			
 
				+
			
 
				+  @Override
			
 
				+  public void destroy() {}
			
 
				+
			
 
				+}
			
--- a/src/main/java/fr/triplea/demovote/web/controller/AuthController.java
+++ b/src/main/java/fr/triplea/demovote/web/controller/AuthController.java
@@ -13,6 +13,7 @@ import org.springframework.security.core.Authentication;
 
				 import org.springframework.security.core.context.SecurityContextHolder;
			
 
				 import org.springframework.security.core.userdetails.UserDetails;
			
 
				 import org.springframework.security.crypto.password.PasswordEncoder;
			
 
				+import org.springframework.web.bind.annotation.GetMapping;
			
 
				 import org.springframework.web.bind.annotation.PostMapping;
			
 
				 import org.springframework.web.bind.annotation.RequestBody;
			
 
				 import org.springframework.web.bind.annotation.RequestMapping;
			
@@ -20,6 +21,7 @@ import org.springframework.web.bind.annotation.RestController;
 
				 import org.springframework.web.servlet.LocaleResolver;
			
 
				 
			
 
				 import fr.triplea.demovote.dao.ParticipantRepository;
			
 
				+import fr.triplea.demovote.dto.JourneesTransfer;
			
 
				 import fr.triplea.demovote.dto.ParticipantTransfer;
			
 
				 import fr.triplea.demovote.dto.RefreshTokenTransfer;
			
 
				 import fr.triplea.demovote.dto.UserCredentials;
			
@@ -63,6 +65,16 @@ public class AuthController
 
				   private MessageSource messageSource;
			
 
				   
			
 
				   
			
 
				+  @GetMapping(value = "/hello")
			
 
				+  public ResponseEntity<JourneesTransfer> getDaysLabels() 
			
 
				+  { 
			
 
				+    JourneesTransfer jt = new JourneesTransfer();
			
 
				+
			
 
				+    jt.setJour1Court("Hello");
			
 
				+     
			
 
				+    return ResponseEntity.ok(jt); 
			
 
				+  }
			
 
				+
			
 
				   @PostMapping(value = "/in")
			
 
				   public ResponseEntity<UserCredentials> signIn(@RequestBody UserCredentials uc, HttpServletRequest request, HttpServletResponse response)
			
 
				   {
			
--- a/src/main/java/fr/triplea/demovote/web/controller/ParticipantController.java
+++ b/src/main/java/fr/triplea/demovote/web/controller/ParticipantController.java
@@ -136,7 +136,7 @@ public class ParticipantController
 
				           
			
 
				           Participant created = participantRepository.save(found);
			
 
				         
			
 
				-          return ResponseEntity.ok(created);
			
 
				+          return ResponseEntity.ok(created); // TODO: retourner ici et ailleurs un message court au lieu de la totalité
			
 
				         }
			
 
				       }
			
 
				     }