From 1d1924a5c85775721a89378ca39a712f336b8f74 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Tue, 20 Dec 2022 16:58:42 +0300 Subject: Disable CSRF entirely --- src/main/java/com/juick/config/SecurityConfig.java | 8 ++++---- src/main/resources/templates/layouts/default.html | 2 +- src/main/resources/templates/views/login.html | 1 - src/main/resources/templates/views/pm_inbox.html | 1 - src/main/resources/templates/views/pm_sent.html | 1 - src/main/resources/templates/views/post.html | 1 - src/main/resources/templates/views/settings_about.html | 2 +- src/main/resources/templates/views/settings_main.html | 17 ++++------------- .../resources/templates/views/settings_password.html | 1 - src/main/resources/templates/views/signup.html | 2 -- 10 files changed, 10 insertions(+), 26 deletions(-) diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index 0d570dc7..869a6d06 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.AuthenticationEntryPoint; @@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; +import javax.inject.Inject; import java.util.Arrays; import java.util.Collections; -import javax.inject.Inject; - /** * Created by aalexeev on 11/21/16. */ @@ -191,7 +191,7 @@ public class SecurityConfig { .configurationSource(corsConfigurationSource())) .sessionManagement( sessionManagement -> sessionManagement - .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .logout(logout -> logout .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .invalidateHttpSession(true) @@ -203,7 +203,7 @@ public class SecurityConfig { .successHandler(successHandler()) .failureUrl("/login?error=1") .permitAll()) - .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**")) + .csrf(AbstractHttpConfigurer::disable) .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) diff --git a/src/main/resources/templates/layouts/default.html b/src/main/resources/templates/layouts/default.html index 9167dbfb..55c7e8b1 100644 --- a/src/main/resources/templates/layouts/default.html +++ b/src/main/resources/templates/layouts/default.html @@ -35,7 +35,7 @@ - 0 %}data-hash="{{visitor.authHash}}" {% else %}data-token="{{_csrf.token}}" {% endif %}> + 0 %}data-hash="{{visitor.authHash}}"{% endif %}>

{% include "views/partial/navigation" %}

diff --git a/src/main/resources/templates/views/login.html b/src/main/resources/templates/views/login.html index f61853e8..046e5b09 100644 --- a/src/main/resources/templates/views/login.html +++ b/src/main/resources/templates/views/login.html @@ -42,7 +42,6 @@

-

diff --git a/src/main/resources/templates/views/pm_sent.html b/src/main/resources/templates/views/pm_sent.html index 2f95dad1..f0af71d3 100644 --- a/src/main/resources/templates/views/pm_sent.html +++ b/src/main/resources/templates/views/pm_sent.html @@ -1,7 +1,6 @@ {% extends "layouts/default" %} {% block content %} -

To:

diff --git a/src/main/resources/templates/views/post.html b/src/main/resources/templates/views/post.html index f1070d7a..a77fa3bd 100644 --- a/src/main/resources/templates/views/post.html +++ b/src/main/resources/templates/views/post.html @@ -5,7 +5,6 @@

Фото: - ({{ i18n("messages","postForm.imageFormats") }})

diff --git a/src/main/resources/templates/views/settings_about.html b/src/main/resources/templates/views/settings_about.html index 846a3d11..5e308671 100644 --- a/src/main/resources/templates/views/settings_about.html +++ b/src/main/resources/templates/views/settings_about.html @@ -1,7 +1,7 @@ {% extends "layouts/default" %} {% block content %}

- +

Full name:

Country:

URL:
diff --git a/src/main/resources/templates/views/settings_main.html b/src/main/resources/templates/views/settings_main.html index c819177e..0c0853f5 100644 --- a/src/main/resources/templates/views/settings_main.html +++ b/src/main/resources/templates/views/settings_main.html @@ -6,7 +6,6 @@

Verify your account by adding email or social account

{% endif %} -

Notification options

Telegram {% if telegram_name is not empty %} - - +

Telegram: {{ telegram_name }} — @@ -36,7 +34,6 @@

{% if jids | length > 0 %} -

XMPP accounts @@ -66,7 +63,6 @@ E-mail -

Add account:
@@ -74,7 +70,6 @@

{% else %} -

- +

Facebook: Disabled — @@ -143,8 +135,7 @@ Twitter {% if twitter_name is not empty %} - - +

Twitter: {{ twitter_name }} — diff --git a/src/main/resources/templates/views/settings_password.html b/src/main/resources/templates/views/settings_password.html index c09a97dd..4a9c403a 100644 --- a/src/main/resources/templates/views/settings_password.html +++ b/src/main/resources/templates/views/settings_password.html @@ -4,7 +4,6 @@

Changing your password -

Change password:
diff --git a/src/main/resources/templates/views/signup.html b/src/main/resources/templates/views/signup.html index ad5f8dfb..d3742734 100644 --- a/src/main/resources/templates/views/signup.html +++ b/src/main/resources/templates/views/signup.html @@ -14,7 +14,6 @@

- @@ -32,7 +31,6 @@ - -- cgit v1.2.3