github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

Enable CSRF token in Set-Cookie header (#2144)

pull/2145/head
John Niang 2022-06-09 10:30:13 +08:00 committed by GitHub
parent b3b13bc820
commit 02a7143fe5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/java/run/halo/app/config/WebServerSecurityConfig.java
View File

@ -25,6 +25,7 @@ import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder; import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder; import org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.web.reactive.function.server.ServerResponse; import org.springframework.web.reactive.function.server.ServerResponse;
import run.halo.app.infra.properties.JwtProperties; import run.halo.app.infra.properties.JwtProperties;
import run.halo.app.security.authentication.jwt.LoginAuthenticationFilter; import run.halo.app.security.authentication.jwt.LoginAuthenticationFilter;
@ -77,7 +78,10 @@ public class WebServerSecurityConfig {
exchanges -> exchanges.pathMatchers("/v3/api-docs/**", "/v3/api-docs.yaml", exchanges -> exchanges.pathMatchers("/v3/api-docs/**", "/v3/api-docs.yaml",
"/swagger-ui/**", "/swagger-ui.html", "/webjars/**").permitAll()) "/swagger-ui/**", "/swagger-ui.html", "/webjars/**").permitAll())
.authorizeExchange(exchanges -> exchanges.anyExchange().authenticated()) .authorizeExchange(exchanges -> exchanges.anyExchange().authenticated())
.cors(withDefaults()).httpBasic(withDefaults()).formLogin(withDefaults()) .cors(withDefaults())
.httpBasic(withDefaults())
.formLogin(withDefaults())
.csrf().csrfTokenRepository(new CookieServerCsrfTokenRepository()).and()
.logout(withDefaults()); .logout(withDefaults());
return http.build(); return http.build();