Merge pull request #2601 from NationalSecurityAgency/2.12.X-merge-4

2.12.x merge 4
NationalSecurityAgency · Jun 24, 2024 · 689438f · 689438f
2 parents f033bbc + 8b2ac6e
commit 689438f
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/dashboard/src/store/modules/auth.js b/dashboard/src/store/modules/auth.js
@@ -168,7 +168,7 @@ const actions = {
   logout({ commit }) {
     commit('clearAuthData');
     commit('showUa', false, { root: true });
-    axios.get('/logout')
+    axios.post('/logout')
       .then(() => {
         router.replace('/skills-login');
     });

diff --git a/service/src/main/java/skills/auth/PortalWebSecurityHelper.groovy b/service/src/main/java/skills/auth/PortalWebSecurityHelper.groovy
@@ -28,11 +28,14 @@ import org.springframework.security.authorization.AuthorizationManager
 import org.springframework.security.authorization.AuthorizationManagers
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext
+import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository
 import org.springframework.security.web.csrf.CsrfToken
 import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler
 import org.springframework.security.web.csrf.CsrfTokenRequestHandler
+import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository
 import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher
 import org.springframework.security.web.util.matcher.OrRequestMatcher
@@ -68,16 +71,24 @@ class PortalWebSecurityHelper {
     @Autowired
     InviteOnlyProjectAuthorizationManager inviteOnlyProjectAuthorizationManager
 
+    @Autowired
+    CookieCsrfTokenRepository cookieCsrfTokenRepository
+
     @Autowired
     UserCommunityAuthorizationManager userCommunityAuthorizationManager
 
+    @Autowired
+    SessionAuthenticationStrategy csrfAuthenticationStrategy
+
     HttpSecurity configureHttpSecurity(HttpSecurity http) {
         if (disableCsrfProtection) {
             http.csrf().disable()
         } else {
             http.csrf((csrf) -> csrf
                     .requireCsrfProtectionMatcher(new MultipartRequestMatcher())
-                    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                    .csrfTokenRepository(cookieCsrfTokenRepository)
+//                    .csrfTokenRepository(new HttpSessionCsrfTokenRepository())
+                    .sessionAuthenticationStrategy(csrfAuthenticationStrategy)
                     .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler()))
                     .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class)
         }

diff --git a/service/src/main/java/skills/auth/SecurityConfiguration.groovy b/service/src/main/java/skills/auth/SecurityConfiguration.groovy
@@ -38,7 +38,11 @@ import org.springframework.security.web.AuthenticationEntryPoint
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.security.web.access.AccessDeniedHandler
 import org.springframework.security.web.access.AccessDeniedHandlerImpl
+import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
 import org.springframework.security.web.context.SecurityContextRepository
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository
+import org.springframework.security.web.csrf.CsrfAuthenticationStrategy
 import org.springframework.security.web.firewall.HttpFirewall
 import org.springframework.security.web.firewall.StrictHttpFirewall
 import org.springframework.stereotype.Component
@@ -182,4 +186,20 @@ class SecurityConfiguration {
         return strictHttpFirewall
     }
 
+    @Bean
+    CookieCsrfTokenRepository cookieCsrfTokenRepository() {
+        CookieCsrfTokenRepository cookieCsrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
+        cookieCsrfTokenRepository.setCookiePath("/");
+        return cookieCsrfTokenRepository;
+    }
+
+    @Bean
+    SessionAuthenticationStrategy csrfAuthenticationStrategy(CookieCsrfTokenRepository cookieCsrfTokenRepository) {
+        if (this.authMode == AuthMode.PKI) {
+            return new NullAuthenticatedSessionStrategy()
+        } else {
+            return new CsrfAuthenticationStrategy(cookieCsrfTokenRepository);
+        }
+    }
+
 }
diff --git a/service/src/test/java/skills/intTests/utils/RestTemplateWrapper.groovy b/service/src/test/java/skills/intTests/utils/RestTemplateWrapper.groovy
@@ -91,7 +91,6 @@ class RestTemplateWrapper extends RestTemplate {
             if (returnedCookies && cookies == null) {
                 cookies = returnedCookies
                 log.info("Setting cookies to {}", returnedCookies)
-                printf "Setting cookies to ${returnedCookies}"
             }
             if (returnedCookies && !xsrfToken) {
                 String cookieXSRF  = returnedCookies.find { it.startsWith("XSRF-TOKEN=") }
@@ -170,6 +169,8 @@ class RestTemplateWrapper extends RestTemplate {
 
                 authenticationToken = authResponse.getHeaders().getFirst(AUTH_HEADER)
             }
+        } else {
+            restTemplate.getForEntity("${skillsServiceUrl}/app/users/validExistingDashboardUserId/{userId}", String, username)
         }
         authenticated = true
     }