Skip to content

Commit

Permalink
#588 add temporary csrf value to cookie filter
Browse files Browse the repository at this point in the history
  • Loading branch information
syjer committed Mar 29, 2019
1 parent ad66d83 commit ae95409
Showing 1 changed file with 24 additions and 1 deletion.
25 changes: 24 additions & 1 deletion src/main/java/alfio/config/WebSecurityConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
Expand All @@ -55,6 +56,7 @@
import org.springframework.web.filter.GenericFilterBean;

import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;
Expand Down Expand Up @@ -311,9 +313,30 @@ protected void configure(HttpSecurity http) throws Exception {


//

http.addFilterBefore(new RecaptchaLoginFilter(recaptchaService, "/authenticate", "/authentication?recaptchaFailed", configurationManager), UsernamePasswordAuthenticationFilter.class);


//FIXME create session and set csrf cookie if we are getting a v2 public api (temporary), will switch to pure cookie based
http.addFilterBefore(new Filter() {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {


HttpServletRequest req = (HttpServletRequest) servletRequest;
HttpServletResponse res = (HttpServletResponse) servletResponse;
if (req.getRequestURI().startsWith("/api/v2/public/") && "GET".equalsIgnoreCase(req.getMethod())) {
CsrfToken csrf = csrfTokenRepository.loadToken(req);
if(csrf == null) {
csrf = csrfTokenRepository.generateToken(req);
}
Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken());
cookie.setPath("/");
res.addCookie(cookie);
}
filterChain.doFilter(servletRequest, servletResponse);
}
}, RecaptchaLoginFilter.class);

if(environment.acceptsProfiles(Profiles.of(Initializer.PROFILE_DEMO))) {
http.addFilterAfter(new UserCreatorBeforeLoginFilter(userManager, "/authenticate"), RecaptchaLoginFilter.class);
}
Expand Down

0 comments on commit ae95409

Please sign in to comment.