From f2c15d100d3ae0f6d9d076c2f965813724b5d3ea Mon Sep 17 00:00:00 2001
From: Paulo Gustavo Veiga <pveiga@wisemapping.com>
Date: Sat, 19 Feb 2022 15:57:57 -0800
Subject: [PATCH] Add CSRD to get operations

---
 .../security/CSFRRequestMatcher.java          | 27 +++++++++++++++++++
 .../webapp/WEB-INF/wisemapping-security.xml   | 13 +++++----
 2 files changed, 33 insertions(+), 7 deletions(-)
 create mode 100644 wise-webapp/src/main/java/com/wisemapping/security/CSFRRequestMatcher.java

diff --git a/wise-webapp/src/main/java/com/wisemapping/security/CSFRRequestMatcher.java b/wise-webapp/src/main/java/com/wisemapping/security/CSFRRequestMatcher.java
new file mode 100644
index 00000000..dff0596a
--- /dev/null
+++ b/wise-webapp/src/main/java/com/wisemapping/security/CSFRRequestMatcher.java
@@ -0,0 +1,27 @@
+package com.wisemapping.security;
+
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Arrays;
+
+public class CSFRRequestMatcher implements RequestMatcher {
+
+    private String prefix;
+    static String[] supportedMethods = {"POST", "PUT", "GET", "DELETE", "PATCH"};
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        final String requestURI = request.getRequestURI();
+        return Arrays.stream(supportedMethods).anyMatch(p -> request.getMethod().toUpperCase().equals(p))
+                && requestURI.startsWith(prefix);
+    }
+
+    public String getPrefix() {
+        return prefix;
+    }
+
+    public void setPrefix(String prefix) {
+        this.prefix = prefix;
+    }
+}
diff --git a/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml b/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml
index da13fe3d..e75ddd93 100644
--- a/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml
+++ b/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml
@@ -42,7 +42,7 @@
         <sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>
         <sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>
 
-        
+
         <sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>
         <sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>
 
@@ -62,8 +62,6 @@
         <sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>
 
         <sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/>
-
-        <sec:csrf/>
         <sec:access-denied-handler error-page="/c/login"/>
         <sec:form-login login-page="/c/login"
                         authentication-success-handler-ref="authenticationSuccessHandler"
@@ -74,12 +72,13 @@
         <!-- Expire in 28 days -->
         <sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
         <sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>
-        <sec:csrf token-repository-ref="tokenRepository"/>
+        <sec:csrf request-matcher-ref="requestMatcher"/>
     </sec:http>
 
-    <bean id="tokenRepository"
-          class="org.springframework.security.web.csrf.CookieCsrfTokenRepository">
-        <property name="cookieHttpOnly" value="true"/>
+    <!-- Extends CFSR check to get methods to have consistency in all errors. Otherwise, request is forward in some cases -->
+    <bean id="requestMatcher"
+          class="com.wisemapping.security.CSFRRequestMatcher">
+        <property name="prefix" value="/c/restful/"/>
     </bean>
 
     <import resource="wisemapping-security-${security.type}.xml"/>