From 870dcd4f537565c418458776aef70593ffa5ec19 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 29 八月 2023 11:34:20 +0800
Subject: [PATCH] [UPDATE] 解決滲透TLS問題 [UPDATE] 解決CSRF問題
---
pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java b/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
index 191ed67..a546258 100644
--- a/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
+++ b/pamapi/src/main/java/com/pollex/pam/config/SecurityConfiguration.java
@@ -14,6 +14,8 @@
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
import org.springframework.web.filter.CorsFilter;
import org.zalando.problem.spring.web.advice.security.SecurityProblemSupport;
@@ -58,11 +60,13 @@
// @formatter:off
http
.csrf()
- .disable()
- .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
- .exceptionHandling()
- .authenticationEntryPoint(problemSupport)
- .accessDeniedHandler(problemSupport)
+ .ignoringAntMatchers("/api/**")
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .and()
+ .addFilterBefore(corsFilter, CsrfFilter.class)
+ .exceptionHandling()
+ .authenticationEntryPoint(problemSupport)
+ .accessDeniedHandler(problemSupport)
.and()
.headers()
.contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
--
Gitblit v1.8.0