Disable CSRF entirely

author: Vitaly Takmazov 2022-12-20 16:58:42 +0300
committer: Vitaly Takmazov 2022-12-20 16:58:42 +0300
commit: 1d1924a5c85775721a89378ca39a712f336b8f74 (patch)
tree: 8edf5478e0bccb15b69288766fe1efc9e02e5218 /src/main/java
parent: f0e10dc93f400e8ba979760a1c7af9d6e53cd1ef (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java
index 0d570dc7..869a6d06 100644
--- a/src/main/java/com/juick/config/SecurityConfig.java
+++ b/src/main/java/com/juick/config/SecurityConfig.java
@@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import javax.inject.Inject;
 import java.util.Arrays;
 import java.util.Collections;
 
-import javax.inject.Inject;
-
 /**
  * Created by aalexeev on 11/21/16.
  */
@@ -191,7 +191,7 @@ public class SecurityConfig {
                         .configurationSource(corsConfigurationSource()))
                 .sessionManagement(
                         sessionManagement -> sessionManagement
-                                .sessionCreationPolicy(SessionCreationPolicy.ALWAYS))
+                                .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .logout(logout -> logout
                         .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                         .invalidateHttpSession(true)
@@ -203,7 +203,7 @@ public class SecurityConfig {
                         .successHandler(successHandler())
                         .failureUrl("/login?error=1")
                         .permitAll())
-                .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**"))
+                .csrf(AbstractHttpConfigurer::disable)
                 .rememberMe(rememberMe -> rememberMe
                         .rememberMeCookieDomain(webDomain).key(rememberMeKey)
                         .rememberMeServices(hashCookieServices()))
author	Vitaly Takmazov	2022-12-20 16:58:42 +0300
committer	Vitaly Takmazov	2022-12-20 16:58:42 +0300
commit	1d1924a5c85775721a89378ca39a712f336b8f74 (patch)
tree	8edf5478e0bccb15b69288766fe1efc9e02e5218 /src/main/java
parent	f0e10dc93f400e8ba979760a1c7af9d6e53cd1ef (diff)