diff --git a/build.gradle b/build.gradle index f8b099bb8..e9ceaa90c 100644 --- a/build.gradle +++ b/build.gradle @@ -137,7 +137,7 @@ dependencies { if (System.getenv("DOCKER_ENABLE_SECURITY") != "false") { implementation "org.springframework.boot:spring-boot-starter-security:$springBootVersion" - runtimeOnly "org.thymeleaf.extras:thymeleaf-extras-springsecurity5:3.1.2.RELEASE" + implementation "org.thymeleaf.extras:thymeleaf-extras-springsecurity5:3.1.2.RELEASE" implementation "org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion" implementation "org.springframework.boot:spring-boot-starter-oauth2-client:$springBootVersion" @@ -154,6 +154,8 @@ dependencies { implementation "org.springframework.security:spring-security-saml2-service-provider" implementation 'com.coveo:saml-client:5.0.0' + + } testImplementation "org.springframework.boot:spring-boot-starter-test:$springBootVersion" diff --git a/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java b/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java index 04469cec8..618c39d6d 100644 --- a/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java +++ b/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java @@ -36,6 +36,8 @@ import org.springframework.security.saml2.provider.service.web.authentication.Sa import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository; +import org.springframework.security.web.csrf.CookieCsrfTokenRepository; +import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler; import org.springframework.security.web.savedrequest.NullRequestCache; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @@ -94,6 +96,16 @@ public class SecurityConfiguration { userAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); if (applicationProperties.getSecurity().getCsrfDisabled()) { http.csrf(csrf -> csrf.disable()); + } else { + CookieCsrfTokenRepository cookieRepo = + CookieCsrfTokenRepository.withHttpOnlyFalse(); + CsrfTokenRequestAttributeHandler requestHandler = + new CsrfTokenRequestAttributeHandler(); + requestHandler.setCsrfRequestAttributeName(null); + http.csrf( + csrf -> + csrf.csrfTokenRepository(cookieRepo) + .csrfTokenRequestHandler(requestHandler)); } http.addFilterBefore(rateLimitingFilter(), UsernamePasswordAuthenticationFilter.class); http.addFilterAfter(firstLoginFilter, UsernamePasswordAuthenticationFilter.class); @@ -113,6 +125,7 @@ public class SecurityConfiguration { logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .logoutSuccessHandler( new CustomLogoutSuccessHandler(applicationProperties)) + .clearAuthentication(true) .invalidateHttpSession(true) // Invalidate session .deleteCookies("JSESSIONID", "remember-me")); http.rememberMe( @@ -223,6 +236,16 @@ public class SecurityConfiguration { } else { if (applicationProperties.getSecurity().getCsrfDisabled()) { http.csrf(csrf -> csrf.disable()); + } else { + CookieCsrfTokenRepository cookieRepo = + CookieCsrfTokenRepository.withHttpOnlyFalse(); + CsrfTokenRequestAttributeHandler requestHandler = + new CsrfTokenRequestAttributeHandler(); + requestHandler.setCsrfRequestAttributeName(null); + http.csrf( + csrf -> + csrf.csrfTokenRepository(cookieRepo) + .csrfTokenRequestHandler(requestHandler)); } http.authorizeHttpRequests(authz -> authz.anyRequest().permitAll()); } diff --git a/src/main/resources/templates/change-creds.html b/src/main/resources/templates/change-creds.html index 8dfdeaeb9..0ba3ed7b2 100644 --- a/src/main/resources/templates/change-creds.html +++ b/src/main/resources/templates/change-creds.html @@ -27,7 +27,7 @@

Change password

-
+
diff --git a/src/main/resources/templates/fragments/navbar.html b/src/main/resources/templates/fragments/navbar.html index d31749dac..5d58532fa 100644 --- a/src/main/resources/templates/fragments/navbar.html +++ b/src/main/resources/templates/fragments/navbar.html @@ -351,7 +351,7 @@
- + diff --git a/src/main/resources/templates/merge-pdfs.html b/src/main/resources/templates/merge-pdfs.html index 8a874788c..3bd58e27f 100644 --- a/src/main/resources/templates/merge-pdfs.html +++ b/src/main/resources/templates/merge-pdfs.html @@ -19,7 +19,7 @@ add_to_photos
-
+
- +
diff --git a/src/main/resources/templates/misc/remove-annotations.html b/src/main/resources/templates/misc/remove-annotations.html index cb65fa9bc..de411422d 100644 --- a/src/main/resources/templates/misc/remove-annotations.html +++ b/src/main/resources/templates/misc/remove-annotations.html @@ -16,7 +16,7 @@ thread_unread
- +
diff --git a/src/main/resources/templates/remove-image-pdf.html b/src/main/resources/templates/remove-image-pdf.html index 9c3d7922d..0d395474f 100644 --- a/src/main/resources/templates/remove-image-pdf.html +++ b/src/main/resources/templates/remove-image-pdf.html @@ -20,7 +20,7 @@ remove_selection
- +

diff --git a/src/main/resources/templates/security/add-password.html b/src/main/resources/templates/security/add-password.html index e705f96b9..1283a4268 100644 --- a/src/main/resources/templates/security/add-password.html +++ b/src/main/resources/templates/security/add-password.html @@ -16,7 +16,7 @@ lock
- +
diff --git a/src/main/resources/templates/security/add-watermark.html b/src/main/resources/templates/security/add-watermark.html index a9cdebc48..9f8818bed 100644 --- a/src/main/resources/templates/security/add-watermark.html +++ b/src/main/resources/templates/security/add-watermark.html @@ -17,7 +17,7 @@
- +
diff --git a/src/main/resources/templates/security/auto-redact.html b/src/main/resources/templates/security/auto-redact.html index 7709af87a..6754a8abc 100644 --- a/src/main/resources/templates/security/auto-redact.html +++ b/src/main/resources/templates/security/auto-redact.html @@ -16,7 +16,7 @@ ink_eraser
- +
diff --git a/src/main/resources/templates/security/cert-sign.html b/src/main/resources/templates/security/cert-sign.html index 4c3a34d0e..ab9a755a9 100644 --- a/src/main/resources/templates/security/cert-sign.html +++ b/src/main/resources/templates/security/cert-sign.html @@ -16,7 +16,7 @@ workspace_premium
- +
diff --git a/src/main/resources/templates/security/change-permissions.html b/src/main/resources/templates/security/change-permissions.html index 1a8b5bfd1..52d743913 100644 --- a/src/main/resources/templates/security/change-permissions.html +++ b/src/main/resources/templates/security/change-permissions.html @@ -17,7 +17,7 @@

- +
diff --git a/src/main/resources/templates/security/remove-cert-sign.html b/src/main/resources/templates/security/remove-cert-sign.html index 216044eb1..ae0bc3cb4 100644 --- a/src/main/resources/templates/security/remove-cert-sign.html +++ b/src/main/resources/templates/security/remove-cert-sign.html @@ -16,7 +16,7 @@ remove_moderator
- +
diff --git a/src/main/resources/templates/security/remove-password.html b/src/main/resources/templates/security/remove-password.html index 615586531..96617cdd6 100644 --- a/src/main/resources/templates/security/remove-password.html +++ b/src/main/resources/templates/security/remove-password.html @@ -16,7 +16,7 @@ lock_open_right
- +
diff --git a/src/main/resources/templates/security/remove-watermark.html b/src/main/resources/templates/security/remove-watermark.html index 51e904cac..e507bb51e 100644 --- a/src/main/resources/templates/security/remove-watermark.html +++ b/src/main/resources/templates/security/remove-watermark.html @@ -16,7 +16,7 @@ water_drop
- +
diff --git a/src/main/resources/templates/security/sanitize-pdf.html b/src/main/resources/templates/security/sanitize-pdf.html index 6325d8b42..c24b494b6 100644 --- a/src/main/resources/templates/security/sanitize-pdf.html +++ b/src/main/resources/templates/security/sanitize-pdf.html @@ -16,7 +16,7 @@ sanitizer
- +