diff --git a/dashboard/src/store/modules/auth.js b/dashboard/src/store/modules/auth.js index 6da12e6b90..c7d48b6862 100644 --- a/dashboard/src/store/modules/auth.js +++ b/dashboard/src/store/modules/auth.js @@ -168,7 +168,7 @@ const actions = { logout({ commit }) { commit('clearAuthData'); commit('showUa', false, { root: true }); - axios.get('/logout') + axios.post('/logout') .then(() => { router.replace('/skills-login'); }); diff --git a/service/src/main/java/skills/auth/PortalWebSecurityHelper.groovy b/service/src/main/java/skills/auth/PortalWebSecurityHelper.groovy index 719c359d64..e15450c82d 100644 --- a/service/src/main/java/skills/auth/PortalWebSecurityHelper.groovy +++ b/service/src/main/java/skills/auth/PortalWebSecurityHelper.groovy @@ -28,11 +28,14 @@ import org.springframework.security.authorization.AuthorizationManager import org.springframework.security.authorization.AuthorizationManagers import org.springframework.security.config.annotation.web.builders.HttpSecurity import org.springframework.security.web.access.intercept.RequestAuthorizationContext +import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy +import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy import org.springframework.security.web.authentication.www.BasicAuthenticationFilter import org.springframework.security.web.csrf.CookieCsrfTokenRepository import org.springframework.security.web.csrf.CsrfToken import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler import org.springframework.security.web.csrf.CsrfTokenRequestHandler +import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler import org.springframework.security.web.util.matcher.AntPathRequestMatcher import org.springframework.security.web.util.matcher.OrRequestMatcher @@ -68,16 +71,24 @@ class PortalWebSecurityHelper { @Autowired InviteOnlyProjectAuthorizationManager inviteOnlyProjectAuthorizationManager + @Autowired + CookieCsrfTokenRepository cookieCsrfTokenRepository + @Autowired UserCommunityAuthorizationManager userCommunityAuthorizationManager + @Autowired + SessionAuthenticationStrategy csrfAuthenticationStrategy + HttpSecurity configureHttpSecurity(HttpSecurity http) { if (disableCsrfProtection) { http.csrf().disable() } else { http.csrf((csrf) -> csrf .requireCsrfProtectionMatcher(new MultipartRequestMatcher()) - .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) + .csrfTokenRepository(cookieCsrfTokenRepository) +// .csrfTokenRepository(new HttpSessionCsrfTokenRepository()) + .sessionAuthenticationStrategy(csrfAuthenticationStrategy) .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())) .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class) } diff --git a/service/src/main/java/skills/auth/SecurityConfiguration.groovy b/service/src/main/java/skills/auth/SecurityConfiguration.groovy index 8d1f0b682f..171adc6cf3 100644 --- a/service/src/main/java/skills/auth/SecurityConfiguration.groovy +++ b/service/src/main/java/skills/auth/SecurityConfiguration.groovy @@ -38,7 +38,11 @@ import org.springframework.security.web.AuthenticationEntryPoint import org.springframework.security.web.SecurityFilterChain import org.springframework.security.web.access.AccessDeniedHandler import org.springframework.security.web.access.AccessDeniedHandlerImpl +import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy +import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy import org.springframework.security.web.context.SecurityContextRepository +import org.springframework.security.web.csrf.CookieCsrfTokenRepository +import org.springframework.security.web.csrf.CsrfAuthenticationStrategy import org.springframework.security.web.firewall.HttpFirewall import org.springframework.security.web.firewall.StrictHttpFirewall import org.springframework.stereotype.Component @@ -182,4 +186,20 @@ class SecurityConfiguration { return strictHttpFirewall } + @Bean + CookieCsrfTokenRepository cookieCsrfTokenRepository() { + CookieCsrfTokenRepository cookieCsrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse(); + cookieCsrfTokenRepository.setCookiePath("/"); + return cookieCsrfTokenRepository; + } + + @Bean + SessionAuthenticationStrategy csrfAuthenticationStrategy(CookieCsrfTokenRepository cookieCsrfTokenRepository) { + if (this.authMode == AuthMode.PKI) { + return new NullAuthenticatedSessionStrategy() + } else { + return new CsrfAuthenticationStrategy(cookieCsrfTokenRepository); + } + } + } diff --git a/service/src/test/java/skills/intTests/utils/RestTemplateWrapper.groovy b/service/src/test/java/skills/intTests/utils/RestTemplateWrapper.groovy index fc010827d0..4919ae7482 100644 --- a/service/src/test/java/skills/intTests/utils/RestTemplateWrapper.groovy +++ b/service/src/test/java/skills/intTests/utils/RestTemplateWrapper.groovy @@ -91,7 +91,6 @@ class RestTemplateWrapper extends RestTemplate { if (returnedCookies && cookies == null) { cookies = returnedCookies log.info("Setting cookies to {}", returnedCookies) - printf "Setting cookies to ${returnedCookies}" } if (returnedCookies && !xsrfToken) { String cookieXSRF = returnedCookies.find { it.startsWith("XSRF-TOKEN=") } @@ -170,6 +169,8 @@ class RestTemplateWrapper extends RestTemplate { authenticationToken = authResponse.getHeaders().getFirst(AUTH_HEADER) } + } else { + restTemplate.getForEntity("${skillsServiceUrl}/app/users/validExistingDashboardUserId/{userId}", String, username) } authenticated = true }