Add config flag for websocket csrf

This commit is contained in:
anthonyraymond 2017-07-30 01:46:31 +02:00
parent 5cc647feb8
commit dca7ce71d9
2 changed files with 8 additions and 3 deletions

View file

@ -3,6 +3,7 @@ package org.araymond.joal.web.config.security;
import org.araymond.joal.web.annotations.ConditionalOnWebUi; import org.araymond.joal.web.annotations.ConditionalOnWebUi;
import org.araymond.joal.web.config.security.springoverrides.JoalAbstractSecurityWebSocketMessageBrokerConfigurer; import org.araymond.joal.web.config.security.springoverrides.JoalAbstractSecurityWebSocketMessageBrokerConfigurer;
import org.araymond.joal.web.config.security.springoverrides.TokenSecurityChannelInterceptor; import org.araymond.joal.web.config.security.springoverrides.TokenSecurityChannelInterceptor;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.messaging.simp.SimpMessageType; import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry; import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry;
@ -16,8 +17,11 @@ import org.springframework.web.socket.config.annotation.EnableWebSocketMessageBr
@EnableWebSocketMessageBroker @EnableWebSocketMessageBroker
public class WebSocketSecurityConfig extends JoalAbstractSecurityWebSocketMessageBrokerConfigurer { public class WebSocketSecurityConfig extends JoalAbstractSecurityWebSocketMessageBrokerConfigurer {
public WebSocketSecurityConfig( final TokenSecurityChannelInterceptor tokenSecurityChannelInterceptor) { private final boolean sameOrigin;
public WebSocketSecurityConfig(@Value("${joal.websocket.same-origin}") final boolean sameOrigin, final TokenSecurityChannelInterceptor tokenSecurityChannelInterceptor) {
super(tokenSecurityChannelInterceptor); super(tokenSecurityChannelInterceptor);
this.sameOrigin = sameOrigin;
} }
@Override @Override
@ -38,9 +42,8 @@ public class WebSocketSecurityConfig extends JoalAbstractSecurityWebSocketMessag
.anyMessage().denyAll(); .anyMessage().denyAll();
} }
// TODO : test purpose, investigate on this
@Override @Override
protected boolean sameOriginDisabled() { protected boolean sameOriginDisabled() {
return true; return !this.sameOrigin;
} }
} }

View file

@ -28,6 +28,8 @@ server.port=${random.int[4000,60000]}
#### ui #### ui
#joal.ui.path.prefix="url-that-can-not-be-guessed" #add a prefix to obfuscate url and prevent tracker to simple check an endpoint to detect JOAL #joal.ui.path.prefix="url-that-can-not-be-guessed" #add a prefix to obfuscate url and prevent tracker to simple check an endpoint to detect JOAL
#joal.ui.secret-token="super-secret-token-that-can-not-be-guessed" #joal.ui.secret-token="super-secret-token-that-can-not-be-guessed"
# Are websocket connection coming from same origin
joal.websocket.same-origin=true
######### END Ensure server is not too exposing too much, and thus create a open access point to trackers ######### ######### END Ensure server is not too exposing too much, and thus create a open access point to trackers #########