Exclude /dwr urls from csrf validation.

8 years ago · b7b42ea4cb
parent ed7758acab
commit b7b42ea4cb
3 changed files with 44 additions and 1 deletions
--- a/libresonic-main/src/main/java/org/libresonic/player/security/CsrfSecurityRequestMatcher.java
+++ b/libresonic-main/src/main/java/org/libresonic/player/security/CsrfSecurityRequestMatcher.java
@ -0,0 +1,38 @@
+package org.libresonic.player.security;
+
+import org.springframework.security.web.util.matcher.RegexRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;
+
+/**
+ * See
+ *
+ * http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/
+ * https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-csrf
+ *
+ *
+ */
+@Component
+public class CsrfSecurityRequestMatcher implements RequestMatcher {
+    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
+    private RegexRequestMatcher dwrRequestMatcher = new RegexRequestMatcher("/dwr/.*\\.dwr", "POST");
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+
+        boolean requireCsrfToken = true;
+
+        if(allowedMethods.matcher(request.getMethod()).matches()){
+            requireCsrfToken = false;
+        } else {
+            if (dwrRequestMatcher.matches(request)) {
+                requireCsrfToken = false;
+            }
+        }
+
+        return requireCsrfToken;
+    }
+}
--- a/libresonic-main/src/main/resources/applicationContext-security.xml
+++ b/libresonic-main/src/main/resources/applicationContext-security.xml
@ -9,6 +9,9 @@

    <security:http auto-config='true'>

+        <security:csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
+
+
        <security:headers>
            <security:frame-options policy="SAMEORIGIN"/>
        </security:headers>
--- a/libresonic-main/src/main/resources/libresonic-servlet.xml
+++ b/libresonic-main/src/main/resources/libresonic-servlet.xml
@ -13,7 +13,9 @@
        http://www.springframework.org/schema/mvc/spring-mvc.xsd">

    <mvc:annotation-driven />
-    <context:component-scan base-package="org.libresonic.player.controller, org.libresonic.player.validator"/>
+    <context:component-scan base-package="org.libresonic.player.controller,
+        org.libresonic.player.validator,
+        org.libresonic.player.security"/>

    <bean id="streamController" class="org.libresonic.player.controller.StreamController">
        <property name="playerService" ref="playerService"/>