disable CSRF for SOAP endpoints

goekay · faculoyarte · commit b6fccb75dbdc · 2024-09-04T11:54:12.000-03:00
diff --git a/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java b/src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java
@@ -104,6 +104,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                     ).permitAll()
                     .requestMatchers(prefix + "/**").hasRole("ADMIN")
             )
+            // SOAP stations are making POST calls for communication. even though the following path is permitted for
+            // all access, there is a global default behaviour from spring security: enable CSRF for all POSTs.
+            // we need to disable CSRF for SOAP paths explicitly.
+            .csrf(c -> c.ignoringRequestMatchers(CONFIG.getCxfMapping() + "/**"))
             .sessionManagement(
                 req -> req.invalidSessionUrl(prefix + "/signin")
             )

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti`
`104`	`104`	`).permitAll()`
`105`	`105`	`.requestMatchers(prefix + "/**").hasRole("ADMIN")`
`106`	`106`	`)`
	`107`	`+ // SOAP stations are making POST calls for communication. even though the following path is permitted for`
	`108`	`+ // all access, there is a global default behaviour from spring security: enable CSRF for all POSTs.`
	`109`	`+ // we need to disable CSRF for SOAP paths explicitly.`
	`110`	`+ .csrf(c -> c.ignoringRequestMatchers(CONFIG.getCxfMapping() + "/**"))`
`107`	`111`	`.sessionManagement(`
`108`	`112`	`req -> req.invalidSessionUrl(prefix + "/signin")`
`109`	`113`	`)`