Skip to content

Commit ea4fbe9

Browse files
dogeareddogeared
committed
updated ignoringAntMatchers for csrf
1 parent 4a4c4f3 commit ea4fbe9

File tree

2 files changed

+20
-8
lines changed

2 files changed

+20
-8
lines changed

jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import javax.servlet.http.HttpServletRequest;
1919
import javax.servlet.http.HttpServletResponse;
2020
import java.io.IOException;
21+
import java.util.Arrays;
2122

2223
@Configuration
2324
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@@ -28,16 +29,21 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
2829
@Autowired
2930
SecretService secretService;
3031

32+
// ordered so we can use binary search below
33+
private String[] ignoreCsrfAntMatchers = {
34+
"/dynamic-builder-compress",
35+
"/dynamic-builder-general",
36+
"/dynamic-builder-specific",
37+
"/set-secrets"
38+
};
39+
3140
@Override
3241
protected void configure(HttpSecurity http) throws Exception {
3342
http
3443
.addFilterAfter(new JwtCsrfValidatorFilter(), CsrfFilter.class)
3544
.csrf()
3645
.csrfTokenRepository(jwtCsrfTokenRepository)
37-
.ignoringAntMatchers("/dynamic-builder-general")
38-
.ignoringAntMatchers("/dynamic-builder-specific")
39-
.ignoringAntMatchers("/dynamic-builder-compress")
40-
.ignoringAntMatchers("/set-secrets")
46+
.ignoringAntMatchers(ignoreCsrfAntMatchers)
4147
.and().authorizeRequests()
4248
.antMatchers("/**")
4349
.permitAll();
@@ -51,9 +57,15 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
5157

5258
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
5359

54-
// CsrfFilter already made sure the token matched.
55-
// Here, we'll make sure it's not expired
56-
if ("POST".equals(request.getMethod()) && token != null) {
60+
if (
61+
// only care if it's a POST
62+
"POST".equals(request.getMethod()) &&
63+
// ignore if the request path is in our list
64+
Arrays.binarySearch(ignoreCsrfAntMatchers, request.getServletPath()) < 0 &&
65+
// make sure we have a token
66+
token != null
67+
) {
68+
// CsrfFilter already made sure the token matched. Here, we'll make sure it's not expired
5769
try {
5870
Jwts.parser()
5971
.setSigningKeyResolver(secretService.getSigningKeyResolver())

jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/SecretsController.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
import static org.springframework.web.bind.annotation.RequestMethod.POST;
1313

1414
@RestController
15-
public class SecretsController {
15+
public class SecretsController extends BaseController {
1616

1717
@Autowired
1818
SecretService secretService;

0 commit comments

Comments
 (0)