From 1d1924a5c85775721a89378ca39a712f336b8f74 Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Tue, 20 Dec 2022 16:58:42 +0300
Subject: Disable CSRF entirely

---
 src/main/java/com/juick/config/SecurityConfig.java | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/main/java/com/juick/config/SecurityConfig.java')

diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java
index 0d570dc7..869a6d06 100644
--- a/src/main/java/com/juick/config/SecurityConfig.java
+++ b/src/main/java/com/juick/config/SecurityConfig.java
@@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
+import javax.inject.Inject;
 import java.util.Arrays;
 import java.util.Collections;
 
-import javax.inject.Inject;
-
 /**
  * Created by aalexeev on 11/21/16.
  */
@@ -191,7 +191,7 @@ public class SecurityConfig {
                         .configurationSource(corsConfigurationSource()))
                 .sessionManagement(
                         sessionManagement -> sessionManagement
-                                .sessionCreationPolicy(SessionCreationPolicy.ALWAYS))
+                                .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .logout(logout -> logout
                         .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                         .invalidateHttpSession(true)
@@ -203,7 +203,7 @@ public class SecurityConfig {
                         .successHandler(successHandler())
                         .failureUrl("/login?error=1")
                         .permitAll())
-                .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**"))
+                .csrf(AbstractHttpConfigurer::disable)
                 .rememberMe(rememberMe -> rememberMe
                         .rememberMeCookieDomain(webDomain).key(rememberMeKey)
                         .rememberMeServices(hashCookieServices()))
-- 
cgit v1.2.3