From 870dcd4f537565c418458776aef70593ffa5ec19 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 29 八月 2023 11:34:20 +0800
Subject: [PATCH] [UPDATE] 解決滲透TLS問題 [UPDATE] 解決CSRF問題

---
 pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java |   14 +++++++++-----
 pamapi/src/main/resources/config/application-tls.yml                  |    6 +++++-
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java b/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
index 191ed67..a546258 100644
--- a/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
+++ b/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
@@ -14,6 +14,8 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
 import org.springframework.web.filter.CorsFilter;
 import org.zalando.problem.spring.web.advice.security.SecurityProblemSupport;
@@ -58,11 +60,13 @@
         // @formatter:off
         http
             .csrf()
-            .disable()
-            .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
-            .exceptionHandling()
-                .authenticationEntryPoint(problemSupport)
-                .accessDeniedHandler(problemSupport)
+            .ignoringAntMatchers("/api/**")
+            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+        .and()
+        .addFilterBefore(corsFilter, CsrfFilter.class)
+        .exceptionHandling()
+            .authenticationEntryPoint(problemSupport)
+            .accessDeniedHandler(problemSupport)
         .and()
             .headers()
             .contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
diff --git a/pamapi/src/main/resources/config/application-tls.yml b/pamapi/src/main/resources/config/application-tls.yml
index 039f6f4..f160d2d 100644
--- a/pamapi/src/main/resources/config/application-tls.yml
+++ b/pamapi/src/main/resources/config/application-tls.yml
@@ -13,7 +13,11 @@
     key-store-password: password
     key-store-type: PKCS12
     key-alias: selfsigned
-    ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+    ciphers: 
+    	- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    	- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    	- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    	- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     enabled-protocols: TLSv1.2
   http2:
     enabled: true

--
Gitblit v1.8.0