Exclude /dwr urls from csrf validation.

8 years ago · b7b42ea4cb
parent ed7758acab
commit b7b42ea4cb
3 changed files with 44 additions and 1 deletions
--- a/libresonic-main/src/main/java/org/libresonic/player/security/CsrfSecurityRequestMatcher.java
+++ b/libresonic-main/src/main/java/org/libresonic/player/security/CsrfSecurityRequestMatcher.java
@ -0,0 +1,38 @@
 package org.libresonic.player.security;
 import org.springframework.security.web.util.matcher.RegexRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.stereotype.Component;
 import javax.servlet.http.HttpServletRequest;
 import java.util.regex.Pattern;
 /**
 * See
 *
 * http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/
 * https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-csrf
 *
 *
 */
@Component
 public class CsrfSecurityRequestMatcher implements RequestMatcher {
    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
    private RegexRequestMatcher dwrRequestMatcher = new RegexRequestMatcher("/dwr/.*\\.dwr", "POST");
    @Override
    public boolean matches(HttpServletRequest request) {
        boolean requireCsrfToken = true;
        if(allowedMethods.matcher(request.getMethod()).matches()){
            requireCsrfToken = false;
        } else {
            if (dwrRequestMatcher.matches(request)) {
                requireCsrfToken = false;
            }
        }
        return requireCsrfToken;
    }
 }
--- a/libresonic-main/src/main/resources/applicationContext-security.xml
+++ b/libresonic-main/src/main/resources/applicationContext-security.xml
@ -9,6 +9,9 @@
    <security:http auto-config='true'>
        <security:csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
        <security:headers>
            <security:frame-options policy="SAMEORIGIN"/>
        </security:headers>
--- a/libresonic-main/src/main/resources/libresonic-servlet.xml
+++ b/libresonic-main/src/main/resources/libresonic-servlet.xml
@ -13,7 +13,9 @@
        http://www.springframework.org/schema/mvc/spring-mvc.xsd">
    <mvc:annotation-driven />
-    <context:component-scan base-package="org.libresonic.player.controller, org.libresonic.player.validator"/>
+    <context:component-scan base-package="org.libresonic.player.controller,
        org.libresonic.player.validator,
        org.libresonic.player.security"/>
    <bean id="streamController" class="org.libresonic.player.controller.StreamController">
        <property name="playerService" ref="playerService"/>