add CSRF protection

2026-02-06 10:48:13 +00:00 · 2020-11-12 10:36:42 +08:00 · 2020-11-12 10:36:42 +08:00 · e2c9f482d2
commit e2c9f482d2
parent 5e53aaa369
4 changed files with 26 additions and 1 deletions
--- a/pom.xml
+++ b/pom.xml
@ -27,6 +27,10 @@
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
--- a/src/main/java/com/openbankproject/oauth2/WebSecurityConfiguration.java
+++ b/src/main/java/com/openbankproject/oauth2/WebSecurityConfiguration.java
@ -0,0 +1,18 @@
+package com.openbankproject.oauth2;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+@Configuration
+public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.csrf().csrfTokenRepository(new CookieCsrfTokenRepository().withHttpOnlyFalse())
+                .requireCsrfProtectionMatcher(
+                        httpServletRequest -> !httpServletRequest.getMethod().equalsIgnoreCase("GET")
+                )
+                .and().authorizeRequests().anyRequest().permitAll();
+    }
+}
--- a/src/main/java/com/openbankproject/oauth2/controller/ConsentController.java
+++ b/src/main/java/com/openbankproject/oauth2/controller/ConsentController.java
@ -137,18 +137,20 @@ public class ConsentController {
                .filter(it -> !it.equals("openid") && !it.equals("offline"))
                .toArray(String[]::new);
        HttpHeaders headers = buildDirectLoginHeader(session);
+        String[] allAccountIds = (String[]) session.getAttribute("all_account_ids");

        { // process selected accounts
            AccessToViewRequest body = new AccessToViewRequest(selectedObpScopes);
            HttpEntity<AccessToViewRequest> entity = new HttpEntity<>(body, headers);
+
            for (String accountId : accountIs) {
+                if(!ArrayUtils.contains(allAccountIds, accountId)) continue;
                String url = resetAccessViewUrl.replace("BANK_ID", bankId).replace("ACCOUNT_ID", accountId);
                restTemplate.exchange(url, HttpMethod.PUT, entity, HashMap.class);
            }
        }

        { // process not selected accounts
-            String[] allAccountIds = (String[]) session.getAttribute("all_account_ids");
            String[] notSelectAccountIds = ArrayUtils.removeElements(allAccountIds, accountIs);
            AccessToViewRequest body = new AccessToViewRequest(ArrayUtils.EMPTY_STRING_ARRAY);
            HttpEntity<AccessToViewRequest> entity = new HttpEntity<>(body, headers);
--- a/src/main/java/com/openbankproject/oauth2/util/ControllerUtils.java
+++ b/src/main/java/com/openbankproject/oauth2/util/ControllerUtils.java
@ -5,6 +5,7 @@ import org.springframework.http.MediaType;

 import javax.servlet.http.HttpSession;

+
 public interface ControllerUtils {

   static HttpHeaders buildDirectLoginHeader(HttpSession session) {