From 1d1924a5c85775721a89378ca39a712f336b8f74 Mon Sep 17 00:00:00 2001 From: Vitaly Takmazov Date: Tue, 20 Dec 2022 16:58:42 +0300 Subject: Disable CSRF entirely --- src/main/java/com/juick/config/SecurityConfig.java | 8 ++++---- src/main/resources/templates/layouts/default.html | 2 +- src/main/resources/templates/views/login.html | 1 - src/main/resources/templates/views/pm_inbox.html | 1 - src/main/resources/templates/views/pm_sent.html | 1 - src/main/resources/templates/views/post.html | 1 - src/main/resources/templates/views/settings_about.html | 2 +- src/main/resources/templates/views/settings_main.html | 17 ++++------------- .../resources/templates/views/settings_password.html | 1 - src/main/resources/templates/views/signup.html | 2 -- 10 files changed, 10 insertions(+), 26 deletions(-) (limited to 'src/main') diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java index 0d570dc7..869a6d06 100644 --- a/src/main/java/com/juick/config/SecurityConfig.java +++ b/src/main/java/com/juick/config/SecurityConfig.java @@ -29,6 +29,7 @@ import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.AuthenticationEntryPoint; @@ -44,11 +45,10 @@ import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; +import javax.inject.Inject; import java.util.Arrays; import java.util.Collections; -import javax.inject.Inject; - /** * Created by aalexeev on 11/21/16. */ @@ -191,7 +191,7 @@ public class SecurityConfig { .configurationSource(corsConfigurationSource())) .sessionManagement( sessionManagement -> sessionManagement - .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .logout(logout -> logout .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .invalidateHttpSession(true) @@ -203,7 +203,7 @@ public class SecurityConfig { .successHandler(successHandler()) .failureUrl("/login?error=1") .permitAll()) - .csrf(csrf -> csrf.ignoringRequestMatchers("/settings/unsubscribe", "/h2-console/**")) + .csrf(AbstractHttpConfigurer::disable) .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) diff --git a/src/main/resources/templates/layouts/default.html b/src/main/resources/templates/layouts/default.html index 9167dbfb..55c7e8b1 100644 --- a/src/main/resources/templates/layouts/default.html +++ b/src/main/resources/templates/layouts/default.html @@ -35,7 +35,7 @@ -
0 %}data-hash="{{visitor.authHash}}" {% else %}data-token="{{_csrf.token}}" {% endif %}> + 0 %}data-hash="{{visitor.authHash}}"{% endif %}>