Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

SOLVED: How to disable CSRF for certain matchers?

Ryan.Hunt:

So I've been brought to this project to solve some security issues and this is the only one that I just can't get it done. The project has been running like 3 years for now so I can't make too many radical changes due to testing costs and my goal is only enabling CSRF for certain matchers which cause CSRF issues.

Here's the configurations:


springVersion = '4.0.7.RELEASE'
springBootVersion = '1.1.5.RELEASE'
springSecurityVersion = '3.2.5.RELEASE' // for ldap security

Security configuration code in present :


http
.csrf().disable()
.headers().frameOptions().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/user/**").permitAll()
.antMatchers("/ws/**").permitAll()
...

To my understanding once you use .csrf().disable() it disables for all so after some search I came up something like this :


http
.csrf().requireCsrfProtectionMatcher(new CsrfSecurityRequestMatcher()).and()
.headers().frameOptions().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/user/**").permitAll()
.antMatchers("/ws/**").permitAll()
...

CsrfSecurityRequestMatcher Class that I found here : http://ift.tt/2kP8Y4m


private class CsrfSecurityRequestMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private RegexRequestMatcher unprotectedMatcher = new RegexRequestMatcher("/api/action/**", null);

@Override
public boolean matches(HttpServletRequest request) {
if(allowedMethods.matcher(request.getMethod()).matches()){
return false;
}
return !unprotectedMatcher.matches(request);
}
}

But now i got this error :


org.springframework.beans.factory.BeanCreationException:
Error creating bean with name 'springSecurityFilterChain' defined in class path resource
[org/springframework/security/config/annotation/web/ configuration/WebSecurityConfiguration.class]:
Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException:
Factory method [public javax.servlet.Filter org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain() throws java.lang.Exception] threw exception; nested exception is org.springframework.security.config.annotation.AlreadyBuiltException:
This object has already been built

So is there anything I can do in this part of the code without changing project configurations?

Thanks



Posted in S.E.F
via StackOverflow & StackExchange Atomic Web Robots
This Question have been answered
HERE


This post first appeared on Stack Solved, please read the originial post: here

Share the post

SOLVED: How to disable CSRF for certain matchers?

×

Subscribe to Stack Solved

Get updates delivered right to your inbox!

Thank you for your subscription

×