Only allow admin role for db.view and fix matchers against non .view urls

Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
master
Andrew DeMaria 8 years ago
parent 45ef0903f4
commit ca90c36839
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
  1. 28
      libresonic-main/src/main/java/org/libresonic/player/security/GlobalSecurityConfig.java

@ -94,7 +94,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
.csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher).and()
.headers().frameOptions().sameOrigin().and()
.authorizeRequests()
.antMatchers("/ext/stream/**", "/ext/coverArt.view", "/ext/share/**", "/ext/hls/**")
.antMatchers("/ext/stream/**", "/ext/coverArt*", "/ext/share/**", "/ext/hls/**")
.hasAnyRole("TEMP", "USER").and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.exceptionHandling().and()
@ -125,29 +125,29 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
.frameOptions()
.sameOrigin()
.and().authorizeRequests()
.antMatchers("/recover.view", "/accessDenied.view",
.antMatchers("/recover*", "/accessDenied*",
"/style/**", "/icons/**", "/flash/**", "/script/**",
"/sonos/**", "/crossdomain.xml", "/login", "/error")
.permitAll()
.antMatchers("/personalSettings.view", "/passwordSettings.view",
"/playerSettings.view", "/shareSettings.view", "/passwordSettings.view")
.antMatchers("/personalSettings*", "/passwordSettings*",
"/playerSettings*", "/shareSettings*", "/passwordSettings*")
.hasRole("SETTINGS")
.antMatchers("/generalSettings.view", "/advancedSettings.view", "/userSettings.view",
"/musicFolderSettings.view", "/databaseSettings.view")
.antMatchers("/generalSettings*", "/advancedSettings*", "/userSettings*",
"/musicFolderSettings*", "/databaseSettings*")
.hasRole("ADMIN")
.antMatchers("/deletePlaylist.view", "/savePlaylist.view")
.antMatchers("/deletePlaylist*", "/savePlaylist*", "/db*")
.hasRole("PLAYLIST")
.antMatchers("/download.view")
.antMatchers("/download*")
.hasRole("DOWNLOAD")
.antMatchers("/upload.view")
.antMatchers("/upload*")
.hasRole("UPLOAD")
.antMatchers("/createShare.view")
.antMatchers("/createShare*")
.hasRole("SHARE")
.antMatchers("/changeCoverArt.view", "/editTags.view")
.antMatchers("/changeCoverArt*", "/editTags*")
.hasRole("COVERART")
.antMatchers("/setMusicFileInfo.view")
.antMatchers("/setMusicFileInfo*")
.hasRole("COMMENT")
.antMatchers("/podcastReceiverAdmin.view")
.antMatchers("/podcastReceiverAdmin*")
.hasRole("PODCAST")
.antMatchers("/**")
.hasRole("USER")
@ -155,7 +155,7 @@ public class GlobalSecurityConfig extends GlobalAuthenticationConfigurerAdapter
.and().formLogin()
.loginPage("/login")
.permitAll()
.defaultSuccessUrl("/index.view", true)
.defaultSuccessUrl("/index", true)
.failureUrl(FAILURE_URL)
.usernameParameter("j_username")
.passwordParameter("j_password")

Loading…
Cancel
Save