MOCK API -> csrf 제외

This commit is contained in:
현성필
2024-04-25 11:31:44 +09:00
parent 852e55ac24
commit eab712bad9
4 changed files with 73 additions and 8 deletions
@@ -2,6 +2,8 @@ package com.eactive.testmaster.config;
import com.navercorp.lucy.security.xss.servletfilter.XssEscapeServletFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
@@ -12,7 +14,10 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
@Configuration
@EnableWebSecurity
@@ -25,13 +30,14 @@ public class PortalConfigSecurity {
private final PortalAuthenticationManager portalAuthenticationManager;
@Autowired
public PortalConfigSecurity(PortalAuthenticationFailureHandler authenticationFailureHandler,
PortalAuthenticationSuccessHandler authenticationSuccessHandler,
PortalAuthenticationManager portalAuthenticationManager) {
private final CsrfExclusionService csrfExclusionService;
public PortalConfigSecurity(PortalAuthenticationFailureHandler authenticationFailureHandler, PortalAuthenticationSuccessHandler authenticationSuccessHandler, PortalAuthenticationManager portalAuthenticationManager,
CsrfExclusionService csrfExclusionService) {
this.authenticationFailureHandler = authenticationFailureHandler;
this.authenticationSuccessHandler = authenticationSuccessHandler;
this.portalAuthenticationManager = portalAuthenticationManager;
this.csrfExclusionService = csrfExclusionService;
}
@Bean
@@ -44,6 +50,29 @@ public class PortalConfigSecurity {
return registrationBean;
}
@Bean
public CsrfTokenRepository csrfTokenRepository(CsrfExclusionService csrfExclusionService) {
// HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
repository.setCookieHttpOnly(false);
return new CsrfTokenRepository() {
@Override
public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
repository.saveToken(token, request, response);
}
@Override
public CsrfToken loadToken(HttpServletRequest request) {
return repository.loadToken(request);
}
@Override
public CsrfToken generateToken(HttpServletRequest request) {
return repository.generateToken(request);
}
};
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
@@ -59,8 +88,11 @@ public class PortalConfigSecurity {
.logoutRequestMatcher(new AntPathRequestMatcher("/actionLogout.do", "GET"))
.logoutSuccessUrl("/"))
.csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers("/h2-console/**")
.csrfTokenRepository(csrfTokenRepository(csrfExclusionService))
.ignoringRequestMatchers(request -> csrfExclusionService.shouldExclude(request.getServletPath()))
.ignoringAntMatchers("/h2-console/**")
// .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
).headers(headers -> headers.frameOptions().sameOrigin())
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
@@ -68,7 +100,6 @@ public class PortalConfigSecurity {
.changeSessionId()
);
return http.build();
}
}