anthonyraymond/joal
1
1
Fork 0
mirror of https://github.com/anthonyraymond/joal.git synced 2024-09-20 15:26:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add config flag for websocket csrf

Browse source
This commit is contained in:
anthonyraymond 2017-07-30 01:46:31 +02:00
parent 5cc647feb8
commit dca7ce71d9
2 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/main/java/org/araymond/joal/web/config/security/WebSocketSecurityConfig.java
View file

@ -3,6 +3,7 @@ package org.araymond.joal.web.config.security;
import org.araymond.joal.web.annotations.ConditionalOnWebUi;
import org.araymond.joal.web.config.security.springoverrides.JoalAbstractSecurityWebSocketMessageBrokerConfigurer;
import org.araymond.joal.web.config.security.springoverrides.TokenSecurityChannelInterceptor;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry;
@ -16,8 +17,11 @@ import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBr
@EnableWebSocketMessageBroker
public class WebSocketSecurityConfig extends JoalAbstractSecurityWebSocketMessageBrokerConfigurer {
public WebSocketSecurityConfig( final TokenSecurityChannelInterceptor tokenSecurityChannelInterceptor) {
private final boolean sameOrigin;
public WebSocketSecurityConfig(@Value("${joal.websocket.same-origin}") final boolean sameOrigin, final TokenSecurityChannelInterceptor tokenSecurityChannelInterceptor) {
super(tokenSecurityChannelInterceptor);
this.sameOrigin = sameOrigin;
}
@Override
@ -38,9 +42,8 @@ public class WebSocketSecurityConfig extends JoalAbstractSecurityWebSocketMessag
.anyMessage().denyAll();
}
// TODO : test purpose, investigate on this
@Override
protected boolean sameOriginDisabled() {
return true;
return !this.sameOrigin;
}
}

2
src/main/resources/application.properties
View file

@ -28,6 +28,8 @@ server.port=${random.int[4000,60000]}
#### ui
#joal.ui.path.prefix="url-that-can-not-be-guessed" #add a prefix to obfuscate url and prevent tracker to simple check an endpoint to detect JOAL
#joal.ui.secret-token="super-secret-token-that-can-not-be-guessed"
# Are websocket connection coming from same origin
joal.websocket.same-origin=true
######### END Ensure server is not too exposing too much, and thus create a open access point to trackers #########