package org.libresonic.player.security; import org.springframework.security.web.util.matcher.RegexRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.stereotype.Component; import javax.servlet.http.HttpServletRequest; import java.util.regex.Pattern; /** * See * * http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/ * https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-csrf * * */ @Component public class CsrfSecurityRequestMatcher implements RequestMatcher { private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$"); private RegexRequestMatcher dwrRequestMatcher = new RegexRequestMatcher("/dwr/.*\\.dwr", "POST"); private RegexRequestMatcher restRequestMatcher = new RegexRequestMatcher("/rest/.*\\.view(\\?.*)?", "POST"); @Override public boolean matches(HttpServletRequest request) { boolean requireCsrfToken = true; if(allowedMethods.matcher(request.getMethod()).matches()){ requireCsrfToken = false; } else { if (dwrRequestMatcher.matches(request)) { requireCsrfToken = false; } else if (restRequestMatcher.matches(request)) { requireCsrfToken = false; } } return requireCsrfToken; } }