Halaman utama Jelajahi Bantuan
Masuk
TripleA
/
demovote-backend
3
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Jelajahi Sumber

dev en cours

rajah 8 bulan lalu
induk
49dd88aade
melakukan
fd06dced5a
3 mengubah file dengan 17 tambahan dan 12 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 15 6
      src/main/java/fr/triplea/demovote/security/SecurityConfig.java
  2. 1 1
      src/main/java/fr/triplea/demovote/security/cors/CorsFilter.java
  3. 1 5
      src/main/java/fr/triplea/demovote/security/csrf/CsrfHeaderFilter.java

+ 15 - 6
src/main/java/fr/triplea/demovote/security/SecurityConfig.java
Tampilan Berkas 

@@ -17,11 +17,12 @@ import org.springframework.security.web.SecurityFilterChain;
 
 import org.springframework.security.web.access.channel.ChannelProcessingFilter;
 
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 import org.springframework.security.web.context.SecurityContextRepository;
 
-//import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
-import org.springframework.security.web.header.HeaderWriterFilter;
 
+import org.springframework.security.web.csrf.CsrfTokenRepository;
 
+import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
 
 import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 
 import org.springframework.web.servlet.config.annotation.EnableWebMvc;
 
+import org.springframework.security.web.csrf.CsrfFilter;
 
 
 import fr.triplea.demovote.security.cors.CorsFilter;
 
 import fr.triplea.demovote.security.csrf.CsrfHeaderFilter;
 
@@ -37,7 +38,6 @@ import org.springframework.security.web.context.RequestAttributeSecurityContextR
 
 public class SecurityConfig
 
 {
 
  
-  // TODO: CSRF-TOKEN
 
   // TODO: déconnexion automatique après timeout
 
 
   @Bean
 
@@ -90,15 +90,24 @@ public class SecurityConfig
 
  
   Class<? extends ChannelProcessingFilter> cpf_clazz = ChannelProcessingFilter.class;
 
 
+  private CsrfTokenRepository csrfTokenRepository() 
+  {
 
+    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
 
+    
+    repository.setHeaderName("X-XSRF-TOKEN"); // Angular: "XSRF" et non pas "CSRF"
 
+    
+    return repository;
 
+  }
 
+  
   @Bean
 
   public CsrfHeaderFilter csrfHeaderFilter() { return new CsrfHeaderFilter(); }
 
   
-  Class<? extends HeaderWriterFilter> csrfhf_clazz = HeaderWriterFilter.class;
 
+  Class<? extends CsrfFilter> csrfhf_clazz = CsrfFilter.class;
 
   
   @Bean
 
   SecurityFilterChain securityFilterChain(HttpSecurity http, SecurityContextRepository securityContextRepository) throws Exception 
   {
 
-    http.csrf(csrf -> csrf.disable())//csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
 
+    http.csrf(csrf -> csrf.csrfTokenRepository(csrfTokenRepository()))
 
         .requiresChannel(channel -> channel.anyRequest().requiresSecure())
 
         .authenticationProvider(authenticationProvider())
 
         .authorizeHttpRequests((ahreq) -> ahreq
 
@@ -110,7 +119,7 @@ public class SecurityConfig
 
           )
 
         .addFilterBefore(jwtTokenFilter(), upaf_clazz)
 
         .addFilterBefore(corsFilter(), cpf_clazz)
 
-        //.addFilterBefore(csrfHeaderFilter(), csrfhf_clazz)
 
+        .addFilterAfter(csrfHeaderFilter(), csrfhf_clazz)
 
         .securityContext(sc -> sc.securityContextRepository(securityContextRepository).requireExplicitSave(true))
 
         .headers(headers -> headers
 
           .xssProtection(xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))

+ 1 - 1
src/main/java/fr/triplea/demovote/security/cors/CorsFilter.java
Tampilan Berkas 

@@ -26,7 +26,7 @@ public class CorsFilter extends OncePerRequestFilter
 
     response.setHeader("Access-Control-Allow-Credentials", "true");
 
     response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS, DELETE");
 
     response.setHeader("Access-Control-Max-Age", "3600");
 
-    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
 
+    response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-XSRF-TOKEN");
 
 
     if (request.getMethod().equals("OPTIONS")) { response.setStatus(HttpServletResponse.SC_ACCEPTED); return; }

+ 1 - 5
src/main/java/fr/triplea/demovote/security/csrf/CsrfHeaderFilter.java
Tampilan Berkas 

@@ -29,11 +29,9 @@ public class CsrfHeaderFilter extends OncePerRequestFilter
 
     
     if (csrf != null) 
     {
 
-      Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
 
-      LOG.info("cookie=" + cookie.toString());
 
+      Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); // Angular: "XSRF" et non pas "CSRF"
 
 
       String token = csrf.getToken();
 
-      LOG.info("token=" + token);
 
       
       if ((cookie == null) || ((token != null) && !(token.equals(cookie.getValue())))) 
       {
 
@@ -41,8 +39,6 @@ public class CsrfHeaderFilter extends OncePerRequestFilter
 
         cookie.setPath("/");
 
         
         response.addCookie(cookie);
 
-        LOG.info("response=cookie added");
 
-
 
       }
 
     }