From 7b7b52f5595eee264b89ace50b7d4c1ee1f00df2 Mon Sep 17 00:00:00 2001 From: Aidan Whiteley Date: Fri, 25 Oct 2024 18:33:49 +0100 Subject: [PATCH] Fixing problems with CSRF and react client --- .../books/controller/config/WebSecurityConfiguration.java | 3 ++- src/main/resources/application-dev-mongo-java-server.yml | 6 +++--- src/main/resources/application.yml | 8 ++++---- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/main/java/com/aidanwhiteley/books/controller/config/WebSecurityConfiguration.java b/src/main/java/com/aidanwhiteley/books/controller/config/WebSecurityConfiguration.java index d4c42ea9..9a8d8364 100644 --- a/src/main/java/com/aidanwhiteley/books/controller/config/WebSecurityConfiguration.java +++ b/src/main/java/com/aidanwhiteley/books/controller/config/WebSecurityConfiguration.java @@ -21,6 +21,7 @@ import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.Authentication; import org.springframework.security.jackson2.CoreJackson2Module; @@ -106,7 +107,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti // https://github.com/pasupulaphani/angular-csrf-cross-domain // So if using CORS, there's no XSRF protection! if (enableCORS) { - http.csrf(csrf -> csrf.disable()); + http.csrf(AbstractHttpConfigurer::disable); LOGGER.warn(""); LOGGER.warn("**********************************************************************"); LOGGER.warn("*** WARNING! ***"); diff --git a/src/main/resources/application-dev-mongo-java-server.yml b/src/main/resources/application-dev-mongo-java-server.yml index b9be454e..01e8d872 100644 --- a/src/main/resources/application-dev-mongo-java-server.yml +++ b/src/main/resources/application-dev-mongo-java-server.yml @@ -48,9 +48,9 @@ logging: books: client: - enableCORS: true # Note - this value overriden in the IntegrationTest base test class + enableCORS: false # Note - this value overriden in the IntegrationTest base test class allowedCorsOrigin: http://localhost:9000 - postLogonUrl: http://localhost:9000/ + postLogonUrl: http://localhost:5173/?logged-on=y xsrfHeader: X-XSRF google: @@ -70,7 +70,7 @@ books: users: default: admin: - email: "exmaple@example.com" # The remote email address for the user that will be automatically made an admin on first logon + email: "exampleFrom@example.com" # The remote email address for the user that will be automatically made an admin on first logon registrationAdminEmail: enabled: false emailFrom: "exampleFrom@example.com" diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index 8ad98463..e95d2d1e 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -27,11 +27,11 @@ spring: google: client-id: NotInSCM1 client-secret: NotInSCM1 - redirect-uri: https://{baseHost}{basePort}{basePath}/login/oauth2/code/google + redirect-uri: http://localhost:8080/login/oauth2/code/google facebook: client-id: NotInSCM2 client-secret: NotInSCM2 - redirect-uri: https://{baseHost}{basePort}{basePath}/login/oauth2/code/facebook + redirect-uri: http://localhost:8080/login/oauth2/code/facebook provider: # Google provides all the info this app needs by default. Facebook needs configuring. facebook: @@ -98,8 +98,8 @@ books: client: enableCORS: false # Setting this to true in production is not supported - leaves app at risk of CSRF - allowedCorsOrigin: http://localhost:9000 - postLogonUrl: http://localhost:9000/ + allowedCorsOrigin: http://localhost:5173 + postLogonUrl: http://localhost:5173/?logged-on=y xsrfHeader: X-XSRF google: