Skip to content

Commit 0d162b1

Browse files
jricherjricher
committed
disabled CSRF on API endpoints, changed auth manager to a bean ID instead of reference, changed filter order to keep SECOAUTH from clearing out security contexts.
1 parent 71bb8d6 commit 0d162b1

File tree

2 files changed

+17
-7
lines changed

2 files changed

+17
-7
lines changed

openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -86,48 +86,56 @@
8686
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
8787
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
8888
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
89+
<security:csrf disabled="true"/>
8990
</security:http>
9091

9192
<!-- Allow open access to discovery endpoints -->
9293
<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
9394
<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
9495
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
96+
<security:csrf disabled="true"/>
9597
</security:http>
9698
<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
9799
<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
98100
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
101+
<security:csrf disabled="true"/>
99102
</security:http>
100103

101104
<!-- Allow open access to all static resources -->
102105
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
103106
<security:intercept-url pattern="/resources/**" access="permitAll"/>
104107
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
108+
<security:csrf disabled="true"/>
105109
</security:http>
106110

107111
<!-- OAuth-protect API and other endpoints -->
108112
<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
109-
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
113+
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
110114
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
111115
<security:expression-handler ref="oauthWebExpressionHandler" />
112116
<security:intercept-url pattern="/register/**" access="permitAll"/>
117+
<security:csrf disabled="true"/>
113118
</security:http>
114119

115120
<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
116-
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
121+
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
117122
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
118123
<security:expression-handler ref="oauthWebExpressionHandler" />
119124
<security:intercept-url pattern="/resource/**" access="permitAll"/>
125+
<security:csrf disabled="true"/>
120126
</security:http>
121127

122128
<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
123-
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
129+
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
124130
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
125131
<security:expression-handler ref="oauthWebExpressionHandler" />
132+
<security:csrf disabled="true"/>
126133
</security:http>
127134

128135
<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
129-
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
136+
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
130137
<security:expression-handler ref="oauthWebExpressionHandler" />
138+
<security:csrf disabled="true"/>
131139
</security:http>
132140

133141
<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**"
@@ -136,10 +144,11 @@
136144
create-session="stateless"
137145
authentication-manager-ref="clientAuthenticationManager">
138146
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
139-
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
147+
<!-- <security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
140148
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
141149
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
142150
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
151+
<security:csrf disabled="true"/>
143152
</security:http>
144153

145154
<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
@@ -148,10 +157,11 @@
148157
create-session="stateless"
149158
authentication-manager-ref="clientAuthenticationManager">
150159
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
151-
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
160+
<!-- <security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
152161
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
153162
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
154163
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
164+
<security:csrf disabled="true"/>
155165
</security:http>
156166

157167
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">

openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
3030
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
3131

32-
<security:authentication-manager alias="authenticationManager">
32+
<security:authentication-manager id="authenticationManager">
3333
<security:authentication-provider>
3434
<security:jdbc-user-service data-source-ref="dataSource"/>
3535
</security:authentication-provider>

0 commit comments

Comments
 (0)