Only allow admin role for db.view and fix matchers against non .view urls

Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
master
Andrew DeMaria 8 years ago
parent 45ef0903f4
commit ca90c36839
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
  1. 28
      libresonic-main/src/main/java/org/libresonic/player/security/GlobalSecurityConfig.java

@ -94,7 +94,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
.csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher).and() .csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher).and()
.headers().frameOptions().sameOrigin().and() .headers().frameOptions().sameOrigin().and()
.authorizeRequests() .authorizeRequests()
.antMatchers("/ext/stream/**", "/ext/coverArt.view", "/ext/share/**", "/ext/hls/**") .antMatchers("/ext/stream/**", "/ext/coverArt*", "/ext/share/**", "/ext/hls/**")
.hasAnyRole("TEMP", "USER").and() .hasAnyRole("TEMP", "USER").and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.exceptionHandling().and() .exceptionHandling().and()
@ -125,29 +125,29 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
.frameOptions() .frameOptions()
.sameOrigin() .sameOrigin()
.and().authorizeRequests() .and().authorizeRequests()
.antMatchers("/recover.view", "/accessDenied.view", .antMatchers("/recover*", "/accessDenied*",
"/style/**", "/icons/**", "/flash/**", "/script/**", "/style/**", "/icons/**", "/flash/**", "/script/**",
"/sonos/**", "/crossdomain.xml", "/login", "/error") "/sonos/**", "/crossdomain.xml", "/login", "/error")
.permitAll() .permitAll()
.antMatchers("/personalSettings.view", "/passwordSettings.view", .antMatchers("/personalSettings*", "/passwordSettings*",
"/playerSettings.view", "/shareSettings.view", "/passwordSettings.view") "/playerSettings*", "/shareSettings*", "/passwordSettings*")
.hasRole("SETTINGS") .hasRole("SETTINGS")
.antMatchers("/generalSettings.view", "/advancedSettings.view", "/userSettings.view", .antMatchers("/generalSettings*", "/advancedSettings*", "/userSettings*",
"/musicFolderSettings.view", "/databaseSettings.view") "/musicFolderSettings*", "/databaseSettings*")
.hasRole("ADMIN") .hasRole("ADMIN")
.antMatchers("/deletePlaylist.view", "/savePlaylist.view") .antMatchers("/deletePlaylist*", "/savePlaylist*", "/db*")
.hasRole("PLAYLIST") .hasRole("PLAYLIST")
.antMatchers("/download.view") .antMatchers("/download*")
.hasRole("DOWNLOAD") .hasRole("DOWNLOAD")
.antMatchers("/upload.view") .antMatchers("/upload*")
.hasRole("UPLOAD") .hasRole("UPLOAD")
.antMatchers("/createShare.view") .antMatchers("/createShare*")
.hasRole("SHARE") .hasRole("SHARE")
.antMatchers("/changeCoverArt.view", "/editTags.view") .antMatchers("/changeCoverArt*", "/editTags*")
.hasRole("COVERART") .hasRole("COVERART")
.antMatchers("/setMusicFileInfo.view") .antMatchers("/setMusicFileInfo*")
.hasRole("COMMENT") .hasRole("COMMENT")
.antMatchers("/podcastReceiverAdmin.view") .antMatchers("/podcastReceiverAdmin*")
.hasRole("PODCAST") .hasRole("PODCAST")
.antMatchers("/**") .antMatchers("/**")
.hasRole("USER") .hasRole("USER")
@ -155,7 +155,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
.and().formLogin() .and().formLogin()
.loginPage("/login") .loginPage("/login")
.permitAll() .permitAll()
.defaultSuccessUrl("/index.view", true) .defaultSuccessUrl("/index", true)
.failureUrl(FAILURE_URL) .failureUrl(FAILURE_URL)
.usernameParameter("j_username") .usernameParameter("j_username")
.passwordParameter("j_password") .passwordParameter("j_password")

Loading…
Cancel
Save