airsonic-custom/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher....

package org.airsonic.player.security;

import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;

import java.util.regex.Pattern;

/**
 * See
 *
 * http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/
 * https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-csrf
 *
 *
 */
@Component
public class CsrfSecurityRequestMatcher implements RequestMatcher {
    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
    private RegexRequestMatcher dwrRequestMatcher = new RegexRequestMatcher("/dwr/.*\\.dwr", "POST");
    private RegexRequestMatcher restRequestMatcher = new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST");

    @Override
    public boolean matches(HttpServletRequest request) {

        boolean requireCsrfToken = true;

        if(allowedMethods.matcher(request.getMethod()).matches()){
            requireCsrfToken = false;
        } else {
            if (dwrRequestMatcher.matches(request)) {
                requireCsrfToken = false;
            } else if (restRequestMatcher.matches(request)) {
                requireCsrfToken = false;
            }
        }

        return requireCsrfToken;
    }
}
Rename libresonic -> airsonic Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com> 7 years ago			`package org.airsonic.player.security;`
Exclude /dwr urls from csrf validation. 8 years ago
			`import org.springframework.security.web.util.matcher.RegexRequestMatcher;`
			`import org.springframework.security.web.util.matcher.RequestMatcher;`
			`import org.springframework.stereotype.Component;`

			`import javax.servlet.http.HttpServletRequest;`
Standardize import order and add maven plugin to check Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com> 8 years ago
Exclude /dwr urls from csrf validation. 8 years ago			`import java.util.regex.Pattern;`

			`/**`
			`* See`
			`*`
			`* http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/`
			`* https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-csrf`
			`*`
			`*`
			`*/`
			`@Component`
			`public class CsrfSecurityRequestMatcher implements RequestMatcher {`
			`private Pattern allowedMethods = Pattern.compile("^(GET\|HEAD\|TRACE\|OPTIONS)$");`
			`private RegexRequestMatcher dwrRequestMatcher = new RegexRequestMatcher("/dwr/.*\\.dwr", "POST");`
Fix for issue 214. POST rest requests must be excluded from csrf validation getLicense rest api method is required. 8 years ago			`private RegexRequestMatcher restRequestMatcher = new RegexRequestMatcher("/rest/.\\.view(\\?.)?", "POST");`
Exclude /dwr urls from csrf validation. 8 years ago
			`@Override`
			`public boolean matches(HttpServletRequest request) {`

			`boolean requireCsrfToken = true;`

			`if(allowedMethods.matcher(request.getMethod()).matches()){`
			`requireCsrfToken = false;`
			`} else {`
			`if (dwrRequestMatcher.matches(request)) {`
			`requireCsrfToken = false;`
Fix for issue 214. POST rest requests must be excluded from csrf validation getLicense rest api method is required. 8 years ago			`} else if (restRequestMatcher.matches(request)) {`
			`requireCsrfToken = false;`
Exclude /dwr urls from csrf validation. 8 years ago			`}`
			`}`

			`return requireCsrfToken;`
			`}`
			`}`