diff options
author | Vitaly Takmazov | 2022-12-20 16:58:42 +0300 |
---|---|---|
committer | Vitaly Takmazov | 2022-12-20 16:58:42 +0300 |
commit | 1d1924a5c85775721a89378ca39a712f336b8f74 (patch) | |
tree | 8edf5478e0bccb15b69288766fe1efc9e02e5218 /src/main/java | |
parent | f0e10dc93f400e8ba979760a1c7af9d6e53cd1ef (diff) |
Disable CSRF entirely
Diffstat (limited to 'src/main/java')
-rw-r--r-- | src/main/java/com/juick/config/SecurityConfig.java | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index 0d570dc7..869a6d06 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.AuthenticationEntryPoint; @@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; +import javax.inject.Inject; import java.util.Arrays; import java.util.Collections; -import javax.inject.Inject; - /** * Created by aalexeev on 11/21/16. */ @@ -191,7 +191,7 @@ public class SecurityConfig { .configurationSource(corsConfigurationSource())) .sessionManagement( sessionManagement -> sessionManagement - .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .logout(logout -> logout .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .invalidateHttpSession(true) @@ -203,7 +203,7 @@ public class SecurityConfig { .successHandler(successHandler()) .failureUrl("/login?error=1") .permitAll()) - .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**")) + .csrf(AbstractHttpConfigurer::disable) .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) |