From ca90c36839507f1a8f24245610058891e8d63512 Mon Sep 17 00:00:00 2001 From: Andrew DeMaria Date: Thu, 11 May 2017 18:55:37 -0600 Subject: [PATCH] Only allow admin role for db.view and fix matchers against non .view urls Signed-off-by: Andrew DeMaria --- .../player/security/GlobalSecurityConfig.java | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/libresonic-main/src/main/java/org/libresonic/player/security/GlobalSecurityConfig.java b/libresonic-main/src/main/java/org/libresonic/player/security/GlobalSecurityConfig.java index 3fd5db15..60bed7d4 100644 --- a/libresonic-main/src/main/java/org/libresonic/player/security/GlobalSecurityConfig.java +++ b/libresonic-main/src/main/java/org/libresonic/player/security/GlobalSecurityConfig.java @@ -94,7 +94,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter .csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher).and() .headers().frameOptions().sameOrigin().and() .authorizeRequests() - .antMatchers("/ext/stream/**", "/ext/coverArt.view", "/ext/share/**", "/ext/hls/**") + .antMatchers("/ext/stream/**", "/ext/coverArt*", "/ext/share/**", "/ext/hls/**") .hasAnyRole("TEMP", "USER").and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .exceptionHandling().and() @@ -125,29 +125,29 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter .frameOptions() .sameOrigin() .and().authorizeRequests() - .antMatchers("/recover.view", "/accessDenied.view", + .antMatchers("/recover*", "/accessDenied*", "/style/**", "/icons/**", "/flash/**", "/script/**", "/sonos/**", "/crossdomain.xml", "/login", "/error") .permitAll() - .antMatchers("/personalSettings.view", "/passwordSettings.view", - "/playerSettings.view", "/shareSettings.view", "/passwordSettings.view") + .antMatchers("/personalSettings*", "/passwordSettings*", + "/playerSettings*", "/shareSettings*", "/passwordSettings*") .hasRole("SETTINGS") - .antMatchers("/generalSettings.view", "/advancedSettings.view", "/userSettings.view", - "/musicFolderSettings.view", "/databaseSettings.view") + .antMatchers("/generalSettings*", "/advancedSettings*", "/userSettings*", + "/musicFolderSettings*", "/databaseSettings*") .hasRole("ADMIN") - .antMatchers("/deletePlaylist.view", "/savePlaylist.view") + .antMatchers("/deletePlaylist*", "/savePlaylist*", "/db*") .hasRole("PLAYLIST") - .antMatchers("/download.view") + .antMatchers("/download*") .hasRole("DOWNLOAD") - .antMatchers("/upload.view") + .antMatchers("/upload*") .hasRole("UPLOAD") - .antMatchers("/createShare.view") + .antMatchers("/createShare*") .hasRole("SHARE") - .antMatchers("/changeCoverArt.view", "/editTags.view") + .antMatchers("/changeCoverArt*", "/editTags*") .hasRole("COVERART") - .antMatchers("/setMusicFileInfo.view") + .antMatchers("/setMusicFileInfo*") .hasRole("COMMENT") - .antMatchers("/podcastReceiverAdmin.view") + .antMatchers("/podcastReceiverAdmin*") .hasRole("PODCAST") .antMatchers("/**") .hasRole("USER") @@ -155,7 +155,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter .and().formLogin() .loginPage("/login") .permitAll() - .defaultSuccessUrl("/index.view", true) + .defaultSuccessUrl("/index", true) .failureUrl(FAILURE_URL) .usernameParameter("j_username") .passwordParameter("j_password")