Fix RDP and minikube loading on multiple nodes #109
Conversation
phrocker
commented
Oct 24, 2025
phrocker
commented
- Implement RDP proxy module with Sentrius integration
* Implement RDP proxy module with Sentrius integration
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| JwtDecoder compositeJwtDecoder) throws Exception { | ||
| http | ||
| .securityMatcher("/guacamole/**") | ||
| .csrf(csrf -> csrf.disable()) |
Check failure
Code scanning / CodeQL
Disabled Spring CSRF protection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To fix the problem, CSRF protection should not be globally disabled for the /guacamole/** endpoints. Simply remove the .csrf(csrf -> csrf.disable()) line from the filter chain in the tunnelChain bean method. CSRF protection will then be active by default, per Spring Security best practices, requiring proper handling of CSRF tokens on these endpoints if accessed by browser clients. No other code changes or imports are needed, unless you decide you need to add configuration to handle CSRF tokens (not requested by the error/fix).
| @@ -118,7 +118,6 @@ | ||
| JwtDecoder compositeJwtDecoder) throws Exception { | ||
| http | ||
| .securityMatcher("/guacamole/**") | ||
| .csrf(csrf -> csrf.disable()) | ||
| .requestCache(cache -> cache.disable()) | ||
| .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) | ||
| .authorizeHttpRequests(auth -> auth.anyRequest().authenticated()) |
| .anyRequest().permitAll()) | ||
| .sessionManagement(session -> session | ||
| .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) | ||
| .csrf(csrf -> csrf.disable()) |
Check failure
Code scanning / CodeQL
Disabled Spring CSRF protection High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
To address the issue, CSRF protection should be enabled, especially for endpoints accessible by browsers. Therefore, the .csrf(csrf -> csrf.disable()) configuration should be removed. By default, Spring Security enables CSRF protection, so omitting the .csrf() configuration leaves protection on. If there are endpoints (such as /guacamole/websocket) that genuinely require CSRF disabled (e.g., for non-browser WebSocket connections), CSRF protection can be selectively disabled for those endpoints rather than globally. However, based on the provided code, the simplest and best fix is to remove the csrf.disable() call from the SecurityFilterChain bean, thereby restoring default CSRF protection for all routes.
Changes required:
- Remove (or comment out) the line
.csrf(csrf -> csrf.disable())from therdpProxySecurityFilterChainconfiguration inRdpProxySecurityConfig.java. - No imports, supporting methods, or further configuration changes are required if we enable default CSRF protection.
| @@ -36,7 +36,6 @@ | ||
| .anyRequest().permitAll()) | ||
| .sessionManagement(session -> session | ||
| .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) | ||
| .csrf(csrf -> csrf.disable()) | ||
| .cors(cors -> cors.configurationSource(corsConfigurationSource())) | ||
| .build(); | ||
| } |
* Initial plan * Remove service-specific verbs (Jira and GitHub) Co-authored-by: phrocker <[email protected]> * Mark service-specific verbs as not AI-callable instead of removing them Co-authored-by: phrocker <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: phrocker <[email protected]>
