diff options
Diffstat (limited to 'src')
10 files changed, 10 insertions, 26 deletions
diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index 0d570dc7..869a6d06 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.AuthenticationEntryPoint; @@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; +import javax.inject.Inject; import java.util.Arrays; import java.util.Collections; -import javax.inject.Inject; - /** * Created by aalexeev on 11/21/16. */ @@ -191,7 +191,7 @@ public class SecurityConfig { .configurationSource(corsConfigurationSource())) .sessionManagement( sessionManagement -> sessionManagement - .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .logout(logout -> logout .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .invalidateHttpSession(true) @@ -203,7 +203,7 @@ public class SecurityConfig { .successHandler(successHandler()) .failureUrl("/login?error=1") .permitAll()) - .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**")) + .csrf(AbstractHttpConfigurer::disable) .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) diff --git a/src/main/resources/templates/layouts/default.html b/src/main/resources/templates/layouts/default.html index 9167dbfb..55c7e8b1 100644 --- a/src/main/resources/templates/layouts/default.html +++ b/src/main/resources/templates/layouts/default.html @@ -35,7 +35,7 @@ <link rel="manifest" href="//i.juick.com/manifest.json" /> </head> -<body id="body" {% if visitor.uid > 0 %}data-hash="{{visitor.authHash}}" {% else %}data-token="{{_csrf.token}}" {% endif %}> +<body id="body" {% if visitor.uid > 0 %}data-hash="{{visitor.authHash}}"{% endif %}> <div id="app"> {% include "views/partial/navigation" %} <div id="content_wrapper"> diff --git a/src/main/resources/templates/views/login.html b/src/main/resources/templates/views/login.html index f61853e8..046e5b09 100644 --- a/src/main/resources/templates/views/login.html +++ b/src/main/resources/templates/views/login.html @@ -42,7 +42,6 @@ <div id="signinform"> <form action="/login" method="POST"> <p class="err">{{ authErrorMessage | default('') }}</p> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input class="txt" type="text" name="username" placeholder='{{ i18n("messages","label.username") }}' id="nickinput" autocomplete="username" /> <input class="txt" type="password" name="password" diff --git a/src/main/resources/templates/views/pm_inbox.html b/src/main/resources/templates/views/pm_inbox.html index 10cd0a30..f89b2923 100644 --- a/src/main/resources/templates/views/pm_inbox.html +++ b/src/main/resources/templates/views/pm_inbox.html @@ -17,7 +17,6 @@ <div class="msg-txt">{{ msg | formatMessage }}</div> <form class="pmmsg"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input type="hidden" name="uname" value="{{ msg.user.name }}"/> <div class="msg-comment"> <div class="ta-wrapper"> diff --git a/src/main/resources/templates/views/pm_sent.html b/src/main/resources/templates/views/pm_sent.html index 2f95dad1..f0af71d3 100644 --- a/src/main/resources/templates/views/pm_sent.html +++ b/src/main/resources/templates/views/pm_sent.html @@ -1,7 +1,6 @@ {% extends "layouts/default" %} {% block content %} <form class="pmmsg"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <div class="newpm"> <div class="newpm-to">To: <input type="text" name="uname" placeholder="username" value="{{ uname }}"/></div> <div class="newpm-body"><textarea name="body" rows="2"></textarea></div> diff --git a/src/main/resources/templates/views/post.html b/src/main/resources/templates/views/post.html index f1070d7a..a77fa3bd 100644 --- a/src/main/resources/templates/views/post.html +++ b/src/main/resources/templates/views/post.html @@ -5,7 +5,6 @@ <form id="postmsg"> <p style="text-align: left;"> <b>Фото:</b> <span id="attachmentfile"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input style="width: 100%;" type="file" name="attach" accept="image/jpeg,image/png"/> <i>({{ i18n("messages","postForm.imageFormats") }})</i></span> </p> <p> diff --git a/src/main/resources/templates/views/settings_about.html b/src/main/resources/templates/views/settings_about.html index 846a3d11..5e308671 100644 --- a/src/main/resources/templates/views/settings_about.html +++ b/src/main/resources/templates/views/settings_about.html @@ -1,7 +1,7 @@ {% extends "layouts/default" %} {% block content %} <article> - <form action="/settings?{{_csrf.parameterName}}={{_csrf.token}}" method="POST" enctype="multipart/form-data"> + <form action="/settings" method="POST" enctype="multipart/form-data"> <p>Full name: <input type="text" name="fullname" value="{{ userinfo.fullName }}"/></p> <p>Country: <input type="text" name="country" value="{{ userinfo.country }}"/></p> <p>URL: <input type="text" name="url" value="{{ userinfo.url }}" size="32"/><br/> diff --git a/src/main/resources/templates/views/settings_main.html b/src/main/resources/templates/views/settings_main.html index c819177e..0c0853f5 100644 --- a/src/main/resources/templates/views/settings_main.html +++ b/src/main/resources/templates/views/settings_main.html @@ -6,7 +6,6 @@ <h2 style="color: red; padding: 20px;">Verify your account by adding email or social account</h2> {% endif %} <form action="/settings" method="POST"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <fieldset> <legend>Notification options</legend> <p><input type="checkbox" name="jnotify" value="1" {% if notify_options.repliesEnabled %} @@ -22,8 +21,7 @@ <legend style="background: url(/durov.png) no-repeat; padding-left: 58px; line-height: 48px; background-size: contain;"> Telegram</legend> {% if telegram_name is not empty %} - <form action="/settings" method="post"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> + <form action="/settings" method="POST"> <div>Telegram: <b>{{ telegram_name }}</b> — <input type="hidden" name="page" value="telegram-del"/> <input type="submit" value=" Disable " {% if not beans.userServiceImpl.canDeleteTelegramUser(visitor) %}disabled="disabled"{% endif %} class="Button" /> @@ -36,7 +34,6 @@ </fieldset> {% if jids | length > 0 %} <form action="/settings" method="POST"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <fieldset> <legend style="background: url(//static.juick.com/settings/xmpp.png) no-repeat; padding-left: 58px; line-height: 48px;"> XMPP accounts @@ -66,7 +63,6 @@ E-mail </legend> <form action="/settings" method="POST"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <p>Add account:<br/> <input type="text" name="account"/> <input type="hidden" name="page" value="email-add"/> @@ -74,7 +70,6 @@ </p> </form> <form action="/settings" method="POST"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <p>Your accounts:</p> <p> {% for email in emails %} @@ -92,7 +87,6 @@ {% if emails is not empty %} <!--email_off--> <form action="/settings" method="POST"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <p>You can receive notifications to email:<br/> Sent to <select name="account"> <option value="">Disabled</option> @@ -117,8 +111,7 @@ </legend> {% if fbstatus.connected %} {% if fbstatus.crosspostEnabled %} - <form action="/settings" method="post"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> + <form action="/settings" method="POST"> <div> Facebook: <b>Enabled</b> — <input type="hidden" name="page" value="facebook-disable"/> @@ -126,8 +119,7 @@ </div> </form> {% else %} - <form action="/settings" method="post"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> + <form action="/settings" method="POST"> <div> Facebook: <b>Disabled</b> — <input type="hidden" name="page" value="facebook-enable"/> @@ -143,8 +135,7 @@ <legend style="background: url(//static.juick.com/settings/twitter.png) no-repeat; padding-left: 58px; line-height: 48px;"> Twitter</legend> {% if twitter_name is not empty %} - <form action="/settings" method="post"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> + <form action="/settings" method="POST"> <div>Twitter: <b>{{ twitter_name }}</b> — <input type="hidden" name="page" value="twitter-del"/> <input type="submit" class="Button" value=" Disable "/> diff --git a/src/main/resources/templates/views/settings_password.html b/src/main/resources/templates/views/settings_password.html index c09a97dd..4a9c403a 100644 --- a/src/main/resources/templates/views/settings_password.html +++ b/src/main/resources/templates/views/settings_password.html @@ -4,7 +4,6 @@ <fieldset> <legend>Changing your password</legend> <form action="/settings" method="post"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input type="hidden" name="page" value="password"/> <p>Change password: <input type="password" name="password" size="8"/> <input class="Button" type="submit" value=" Update "/><br/> diff --git a/src/main/resources/templates/views/signup.html b/src/main/resources/templates/views/signup.html index ad5f8dfb..d3742734 100644 --- a/src/main/resources/templates/views/signup.html +++ b/src/main/resources/templates/views/signup.html @@ -14,7 +14,6 @@ <h2 class="signup-h2">Связать с существующим аккаунтом Juick</h2> <form action="/signup" method="post"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input type="hidden" name="action" value="link"/> <input type="hidden" name="type" value="{{ type }}"/> <input type="hidden" name="hash" value="{{ hash }}"/> @@ -32,7 +31,6 @@ <h2 class="signup-h2">Создать новый аккаунт Juick</h2> <form action="/signup" method="post"> - <input type="hidden" name="{{_csrf.parameterName}}" value="{{_csrf.token}}" /> <input type="hidden" name="action" value="new"/> <input type="hidden" name="type" value="{{ type }}"/> <input type="hidden" name="hash" value="{{ hash }}"/> |