Code scanning alertsのDisabled Spring CSRF protectionに対応 (#1771)

* Disabled CSRF に対する対応 * 除外の範囲を拡大する
AlesInfiny · Jan 6, 2025 · 6b61710 · 6b61710
1 parent 09b8af4
commit 6b61710
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/...b2c-sample/auth-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java b/...b2c-sample/auth-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java
@@ -38,7 +38,6 @@ public class WebSecurityConfig {
   public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
     JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
     http.securityMatcher("/api/**")
-        .csrf(csrf -> csrf.disable())
         .cors(cors -> cors.configurationSource(request -> {
           CorsConfiguration conf = new CorsConfiguration();
           conf.setAllowCredentials(true);

diff --git a/...web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java b/...web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java
@@ -31,7 +31,9 @@ public class WebSecurityConfig {
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     http
         .securityMatcher("/api/**")
-        .csrf(csrf -> csrf.disable())
+        // CSRF トークンを利用したリクエストの検証を無効化（ OAuth2.0 による認証認可を利用する前提のため）
+        // OAuth2.0 によるリクエストの検証を利用しない場合は、有効化して CSRF 対策を施す
+        .csrf(csrf -> csrf.ignoringRequestMatchers("/api/**"))
         .cors(cors -> cors.configurationSource(request -> {
           CorsConfiguration conf = new CorsConfiguration();
           conf.setAllowCredentials(true);