Set csrf configuration

ec9dfc5b · Joze RIHTARSIC · 665d8482 · ec9dfc5b · ec9dfc5b · ec9dfc5b
Commit ec9dfc5b authored 3 years ago by Joze RIHTARSIC
--- a/smp-angular/src/app/app.module.ts
+++ b/smp-angular/src/app/app.module.ts
 import {BrowserModule} from '@angular/platform-browser';
 import {NgModule} from '@angular/core';
 import {FormsModule, ReactiveFormsModule} from '@angular/forms';
-import {HttpClient, HttpClientModule} from '@angular/common/http';
+import {HttpClient, HttpClientModule, HttpClientXsrfModule} from '@angular/common/http';
 import {FlexLayoutModule} from '@angular/flex-layout';
 import {
  MatButtonModule,
@@ -153,6 +153,10 @@ import {SmlIntegrationService} from "./domain/sml-integration.service";
    BrowserModule,
    FlexLayoutModule,
    HttpClientModule,
+    HttpClientXsrfModule.withOptions({
+      cookieName: 'XSRF-TOKEN',
+      headerName: 'X-XSRF-TOKEN'
+    }),
    BrowserAnimationsModule,
    FormsModule,
    NgxDatatableModule,
@@ -200,7 +204,7 @@ import {SmlIntegrationService} from "./domain/sml-integration.service";
      provide: ExtendedHttpClient,
      useFactory: extendedHttpClientCreator,
      deps: [HttpClient, HttpEventService, SecurityService]
-    },
+    }
  ],
  bootstrap: [AppComponent]
 })

--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/config/SpringSecurityConfig.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/config/SpringSecurityConfig.java
@@ -36,7 +36,6 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.firewall.DefaultHttpFirewall;
@@ -57,6 +56,8 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    SMPAuthenticationProvider smpAuthenticationProvider;
    BlueCoatAuthenticationFilter blueCoatAuthenticationFilter;
    EDeliveryX509AuthenticationFilter x509AuthenticationFilter;
+    CsrfTokenRepository csrfTokenRepository;
+    RequestMatcher csrfURLMatcher;
    @Value("${authentication.blueCoat.enabled:false}")
    boolean clientCertEnabled;
@@ -73,11 +74,15 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public SpringSecurityConfig(SMPAuthenticationProvider smpAuthenticationProvider,
                                @Lazy BlueCoatAuthenticationFilter blueCoatAuthenticationFilter,
-                                @Lazy EDeliveryX509AuthenticationFilter x509AuthenticationFilter) {
+                                @Lazy EDeliveryX509AuthenticationFilter x509AuthenticationFilter,
+                                @Lazy CsrfTokenRepository csrfTokenRepository,
+                                @Lazy RequestMatcher csrfURLMatcher) {
        super(false);
        this.smpAuthenticationProvider = smpAuthenticationProvider;
        this.blueCoatAuthenticationFilter = blueCoatAuthenticationFilter;
        this.x509AuthenticationFilter = x509AuthenticationFilter;
+        this.csrfTokenRepository = csrfTokenRepository;
+        this.csrfURLMatcher = csrfURLMatcher;
    }
    @Override
@@ -87,9 +92,7 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
        blueCoatAuthenticationFilter.setBlueCoatEnabled(clientCertEnabled);
        httpSecurity
-//                .csrf().disable()
+                .csrf().csrfTokenRepository(csrfTokenRepository).requireCsrfProtectionMatcher(csrfURLMatcher).and()
-                .csrf().csrfTokenRepository(tokenRepository()).requireCsrfProtectionMatcher(csrfURLMatcher()).and()
-                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS).and()
                .exceptionHandling().authenticationEntryPoint(new SpringSecurityExceptionHandler()).and()
                .headers().frameOptions().deny().contentTypeOptions().and().xssProtection().xssProtectionEnabled(true).and().and()
@@ -161,26 +164,33 @@ public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
    }
    @Bean
-    public CsrfTokenRepository tokenRepository(){
+    public CsrfTokenRepository tokenRepository() {
-        CookieCsrfTokenRepository csrfTokenRepository = new CookieCsrfTokenRepository();
+        CookieCsrfTokenRepository repository = CookieCsrfTokenRepository.withHttpOnlyFalse();
-        csrfTokenRepository.setCookieHttpOnly(false);
+        return repository;
-        return csrfTokenRepository;
    }
    @Bean
    public RequestMatcher csrfURLMatcher() {
        URLCsrfMatcher requestMatcher = new URLCsrfMatcher();
+        // init pages
+        requestMatcher.addIgnoreUrl("^/$", HttpMethod.GET);
+        requestMatcher.addIgnoreUrl("favicon.ico$", HttpMethod.GET);
+        requestMatcher.addIgnoreUrl("^/(index.html|ui/(#/)?|)$", HttpMethod.GET);
        // Csrf ignore "SMP API 'stateless' calls! (each call is authenticated and session is not used!)"
        requestMatcher.addIgnoreUrl("/.*::.*(/services/?.*)?", HttpMethod.GET, HttpMethod.DELETE, HttpMethod.POST, HttpMethod.PUT);
        // ignore for login and logout
        requestMatcher.addIgnoreUrl("/ui/rest/security/authentication", HttpMethod.DELETE, HttpMethod.POST);
-        // info
+        // allow all gets
-        requestMatcher.addIgnoreUrl("/ui/rest/application/(info|rootContext|name)", HttpMethod.GET);
+        requestMatcher.addIgnoreUrl("/ui/.*", HttpMethod.GET);
+        // altternative fine tuned
+        //requestMatcher.addIgnoreUrl("/ui/(index.html|styles.*|runtime.*|polyfills.*|main.*)", HttpMethod.GET);
+        //requestMatcher.addIgnoreUrl("/ui/.*(\\.html|\\.css|\\.js)$", HttpMethod.GET);
+        //requestMatcher.addIgnoreUrl("/ui/assets/.*", HttpMethod.GET); // allow to retrieve assets
+        //requestMatcher.addIgnoreUrl("/ui/rest/(domain|search).*", HttpMethod.GET); // public methods
+        //requestMatcher.addIgnoreUrl("/ui/rest/application/(info|rootContext|name)", HttpMethod.GET); // public methods
        // monitor
        requestMatcher.addIgnoreUrl("/monitor/is-alive", HttpMethod.GET);
-        // public search
-        requestMatcher.addIgnoreUrl("/ui/rest/search", HttpMethod.GET);
        return requestMatcher;
    }
 }
--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/ui/AuthenticationResource.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/ui/AuthenticationResource.java
@@ -3,7 +3,6 @@ package eu.europa.ec.edelivery.smp.ui;
 import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationService;
 import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationToken;
-import eu.europa.ec.edelivery.smp.auth.SMPAuthority;
 import eu.europa.ec.edelivery.smp.auth.SMPAuthorizationService;
 import eu.europa.ec.edelivery.smp.data.ui.ErrorRO;
 import eu.europa.ec.edelivery.smp.data.ui.LoginRO;
@@ -22,6 +21,8 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.*;
@@ -54,6 +55,9 @@ public class AuthenticationResource {
    @Autowired
    private ConfigurationService configurationService;
+    @Autowired
+    public CsrfTokenRepository csrfTokenRepository;
    SMPCookieWriter smpCookieWriter = new SMPCookieWriter();
@@ -68,9 +72,10 @@ public class AuthenticationResource {
    @Transactional(noRollbackFor = BadCredentialsException.class)
    public UserRO authenticate(@RequestBody LoginRO loginRO, HttpServletRequest request, HttpServletResponse response) {
        LOG.debug("Authenticating user [{}]", loginRO.getUsername());
-        // reset session id with login
+        // reset session id token and the Csrf Token at login
        recreatedSessionCookie(request, response);
+        CsrfToken csfrToken = csrfTokenRepository.generateToken(request);
+        csrfTokenRepository.saveToken(csfrToken, request, response);
        SMPAuthenticationToken authentication = (SMPAuthenticationToken) authenticationService.authenticate(loginRO.getUsername(), loginRO.getPassword());
        UserRO userRO = conversionService.convert(authentication.getUser(), UserRO.class);
@@ -111,6 +116,8 @@ public class AuthenticationResource {
     * @param response
     */
    public void recreatedSessionCookie(HttpServletRequest request, HttpServletResponse response) {
+        // recreate session id  (first make sure it exists)
+        request.getSession(true).getId();
        String sessionId = request.changeSessionId();
        smpCookieWriter.writeCookieToResponse(SESSION_COOKIE_NAME,
                sessionId,