From 16aff436079d70b125ccc568964c84a6f0cc8a17 Mon Sep 17 00:00:00 2001 From: Adam Date: Thu, 28 Sep 2017 19:22:08 -0400 Subject: [PATCH] http-service: disable csrf protection which got enabled from the cache security manager --- .../service/RestSecurityConfiguration.java | 39 +++++++++++++++++++ .../http/service/cache/CacheSecurity.java | 2 + 2 files changed, 41 insertions(+) create mode 100644 http-service/src/main/java/net/runelite/http/service/RestSecurityConfiguration.java diff --git a/http-service/src/main/java/net/runelite/http/service/RestSecurityConfiguration.java b/http-service/src/main/java/net/runelite/http/service/RestSecurityConfiguration.java new file mode 100644 index 0000000000..28616693f9 --- /dev/null +++ b/http-service/src/main/java/net/runelite/http/service/RestSecurityConfiguration.java @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2017, Adam + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +package net.runelite.http.service; + +import org.springframework.context.annotation.Configuration; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + +@Configuration +public class RestSecurityConfiguration extends WebSecurityConfigurerAdapter +{ + @Override + protected void configure(HttpSecurity http) throws Exception + { + http.csrf().disable(); + } +} diff --git a/http-service/src/main/java/net/runelite/http/service/cache/CacheSecurity.java b/http-service/src/main/java/net/runelite/http/service/cache/CacheSecurity.java index 16a6794e56..4a7989bd82 100644 --- a/http-service/src/main/java/net/runelite/http/service/cache/CacheSecurity.java +++ b/http-service/src/main/java/net/runelite/http/service/cache/CacheSecurity.java @@ -26,6 +26,7 @@ package net.runelite.http.service.cache; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; +import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -33,6 +34,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur @Configuration @EnableWebSecurity +@Order(200) public class CacheSecurity extends WebSecurityConfigurerAdapter { @Value("${auth.password}")