From 1d1924a5c85775721a89378ca39a712f336b8f74 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Tue, 20 Dec 2022 16:58:42 +0300 Subject: Disable CSRF entirely --- src/main/java/com/juick/config/SecurityConfig.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/main/java/com') diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index 0d570dc7..869a6d06 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.AuthenticationEntryPoint; @@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; +import javax.inject.Inject; import java.util.Arrays; import java.util.Collections; -import javax.inject.Inject; - /** * Created by aalexeev on 11/21/16. */ @@ -191,7 +191,7 @@ public class SecurityConfig { .configurationSource(corsConfigurationSource())) .sessionManagement( sessionManagement -> sessionManagement - .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .logout(logout -> logout .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .invalidateHttpSession(true) @@ -203,7 +203,7 @@ public class SecurityConfig { .successHandler(successHandler()) .failureUrl("/login?error=1") .permitAll()) - .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**")) + .csrf(AbstractHttpConfigurer::disable) .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) -- cgit v1.2.3