aboutsummaryrefslogtreecommitdiff
path: root/src/main/java/com/juick
diff options
context:
space:
mode:
authorGravatar Vitaly Takmazov2022-12-20 16:58:42 +0300
committerGravatar Vitaly Takmazov2022-12-20 16:58:42 +0300
commit1d1924a5c85775721a89378ca39a712f336b8f74 (patch)
tree8edf5478e0bccb15b69288766fe1efc9e02e5218 /src/main/java/com/juick
parentf0e10dc93f400e8ba979760a1c7af9d6e53cd1ef (diff)
Disable CSRF entirely
Diffstat (limited to 'src/main/java/com/juick')
-rw-r--r--src/main/java/com/juick/config/SecurityConfig.java8
1 files changed, 4 insertions, 4 deletions
diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java
index 0d570dc7..869a6d06 100644
--- a/src/main/java/com/juick/config/SecurityConfig.java
+++ b/src/main/java/com/juick/config/SecurityConfig.java
@@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.AuthenticationEntryPoint;
@@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import javax.inject.Inject;
import java.util.Arrays;
import java.util.Collections;
-import javax.inject.Inject;
-
/**
* Created by aalexeev on 11/21/16.
*/
@@ -191,7 +191,7 @@ public class SecurityConfig {
.configurationSource(corsConfigurationSource()))
.sessionManagement(
sessionManagement -> sessionManagement
- .sessionCreationPolicy(SessionCreationPolicy.ALWAYS))
+ .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.logout(logout -> logout
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.invalidateHttpSession(true)
@@ -203,7 +203,7 @@ public class SecurityConfig {
.successHandler(successHandler())
.failureUrl("/login?error=1")
.permitAll())
- .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**"))
+ .csrf(AbstractHttpConfigurer::disable)
.rememberMe(rememberMe -> rememberMe
.rememberMeCookieDomain(webDomain).key(rememberMeKey)
.rememberMeServices(hashCookieServices()))