From 4fa3db3d333facee86110743ca06e1af6f285db6 Mon Sep 17 00:00:00 2001 From: RyoNakagawa Date: Mon, 6 Jan 2025 11:37:04 +0900 Subject: [PATCH 1/2] =?UTF-8?q?Disabled=20CSRF=20=E3=81=AB=E5=AF=BE?= =?UTF-8?q?=E3=81=99=E3=82=8B=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../main/java/com/dressca/web/security/WebSecurityConfig.java | 1 - .../main/java/com/dressca/web/security/WebSecurityConfig.java | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/samples/azure-ad-b2c-sample/auth-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java b/samples/azure-ad-b2c-sample/auth-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java index 09518d646..174088043 100644 --- a/samples/azure-ad-b2c-sample/auth-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java +++ b/samples/azure-ad-b2c-sample/auth-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java @@ -38,7 +38,6 @@ public class WebSecurityConfig { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { JwtAuthenticationConverter converter = new JwtAuthenticationConverter(); http.securityMatcher("/api/**") - .csrf(csrf -> csrf.disable()) .cors(cors -> cors.configurationSource(request -> { CorsConfiguration conf = new CorsConfiguration(); conf.setAllowCredentials(true); diff --git a/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java b/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java index 5bbd9d0f8..2967112b3 100644 --- a/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java +++ b/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java @@ -31,7 +31,9 @@ public class WebSecurityConfig { public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatcher("/api/**") - .csrf(csrf -> csrf.disable()) + // CSRF トークンを利用したリクエストの検証を無効化( OAuth2.0 による認証認可を利用する前提のため) + // OAuth2.0 によるリクエストの検証を利用しない場合は、有効化して CSRF 対策を施す + .csrf(csrf -> csrf.ignoringRequestMatchers("/api/*")) .cors(cors -> cors.configurationSource(request -> { CorsConfiguration conf = new CorsConfiguration(); conf.setAllowCredentials(true); From 8a3ead7b17aa30251b5472d38398fdc2d96a4f54 Mon Sep 17 00:00:00 2001 From: RyoNakagawa Date: Mon, 6 Jan 2025 11:50:20 +0900 Subject: [PATCH 2/2] =?UTF-8?q?=E9=99=A4=E5=A4=96=E3=81=AE=E7=AF=84?= =?UTF-8?q?=E5=9B=B2=E3=82=92=E6=8B=A1=E5=A4=A7=E3=81=99=E3=82=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../main/java/com/dressca/web/security/WebSecurityConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java b/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java index 2967112b3..1022f8e60 100644 --- a/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java +++ b/samples/web-csr/dressca-backend/web/src/main/java/com/dressca/web/security/WebSecurityConfig.java @@ -33,7 +33,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti .securityMatcher("/api/**") // CSRF トークンを利用したリクエストの検証を無効化( OAuth2.0 による認証認可を利用する前提のため) // OAuth2.0 によるリクエストの検証を利用しない場合は、有効化して CSRF 対策を施す - .csrf(csrf -> csrf.ignoringRequestMatchers("/api/*")) + .csrf(csrf -> csrf.ignoringRequestMatchers("/api/**")) .cors(cors -> cors.configurationSource(request -> { CorsConfiguration conf = new CorsConfiguration(); conf.setAllowCredentials(true);