Merge pull request #1542 from steve-community/1523-connection-issues-websocket

Fix SOAP/WS connection issues

Author: goekay

src/main/java/de/rwth/idsg/steve/Application.java

@@ -46,9 +46,9 @@ public Application() {
 
         switch (sc.getProfile()) {
             case DEV:
+            case TEST:
                 delegate = new SteveDevStarter();
                 break;
-            case TEST:
             case PROD:
                 delegate = new SteveProdStarter();
                 break;

src/main/java/de/rwth/idsg/steve/SteveAppContext.java

@@ -110,15 +110,13 @@ private WebAppContext initWebApp() {
         ctx.addServlet(web, CONFIG.getSpringMapping());
         ctx.addServlet(cxf, CONFIG.getCxfMapping() + "/*");
 
-        if (CONFIG.getProfile().isProd()) {
-            // If PROD, add security filter
-            ctx.addFilter(
-                // The bean name is not arbitrary, but is as expected by Spring
-                new FilterHolder(new DelegatingFilterProxy(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)),
-                CONFIG.getSpringMapping() + "*",
-                EnumSet.allOf(DispatcherType.class)
-            );
-        }
+        // add spring security
+        ctx.addFilter(
+            // The bean name is not arbitrary, but is as expected by Spring
+            new FilterHolder(new DelegatingFilterProxy(AbstractSecurityWebApplicationInitializer.DEFAULT_FILTER_NAME)),
+            CONFIG.getSpringMapping() + "*",
+            EnumSet.allOf(DispatcherType.class)
+        );
 
         initJSP(ctx);
         return ctx;

src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java

@@ -20,12 +20,9 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Strings;
-import de.rwth.idsg.steve.SteveProdCondition;
 import de.rwth.idsg.steve.web.api.ApiControllerAdvice;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
@@ -34,7 +31,6 @@
 import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -52,6 +48,7 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+
 import java.io.IOException;
 
 import static de.rwth.idsg.steve.SteveConfiguration.CONFIG;
@@ -63,7 +60,6 @@
 @Slf4j
 @Configuration
 @EnableWebSecurity
-@Conditional(SteveProdCondition.class)
 public class SecurityConfiguration {
 
     /**
@@ -99,10 +95,15 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                     .requestMatchers(
                         "/static/**",
                         CONFIG.getCxfMapping() + "/**",
+                        WebSocketConfiguration.PATH_INFIX + "**",
                         "/WEB-INF/views/**" // https://github.com/spring-projects/spring-security/issues/13285#issuecomment-1579097065
                     ).permitAll()
                     .requestMatchers(prefix + "/**").hasRole("ADMIN")
             )
+            // SOAP stations are making POST calls for communication. even though the following path is permitted for
+            // all access, there is a global default behaviour from spring security: enable CSRF for all POSTs.
+            // we need to disable CSRF for SOAP paths explicitly.
+            .csrf(c -> c.ignoringRequestMatchers(CONFIG.getCxfMapping() + "/**"))
             .sessionManagement(
                 req -> req.invalidSessionUrl(prefix + "/signin")
             )