airsonic-custom/airsonic-main/src/main/java/org/airsonic/player/security/CsrfSecurityRequestMatcher.java

package org.airsonic.player.security;

import org.springframework.security.web.util.matcher.RegexRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.stereotype.Component;

import javax.servlet.http.HttpServletRequest;

import java.util.Arrays;
import java.util.List;

/**
 * See
 *
 * http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/
 * https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-csrf
 *
 *
 */
@Component
public class CsrfSecurityRequestMatcher implements RequestMatcher {
    static private List<String> allowedMethods = Arrays.asList("GET", "HEAD", "TRACE", "OPTIONS");
    private List<RegexRequestMatcher> whiteListedMatchers;

    public CsrfSecurityRequestMatcher() {
        this.whiteListedMatchers = Arrays.asList(
            new RegexRequestMatcher("/dwr/.*\\.dwr", "POST"),
            new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST"),
            new RegexRequestMatcher("/search(?:\\.view)?", "POST")
        );
    }

    @Override
    public boolean matches(HttpServletRequest request) {
        boolean skipCSRF = allowedMethods.contains(request.getMethod()) ||
            whiteListedMatchers.stream().anyMatch(matcher -> matcher.matches(request));
        return !skipCSRF;
    }
}