Skip to content

Commit f37f9b2

Browse files
JoyChou93JoyChou93
committed
add csrf switch
1 parent 6844b0a commit f37f9b2

File tree

6 files changed

+26
-13
lines changed

6 files changed

+26
-13
lines changed

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,13 @@ Sort by letter.
1818
- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
1919
- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
2020
- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
21-
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
21+
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
2222
- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
2323
- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
2424
- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
2525
- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
2626
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
27-
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
27+
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
2828
- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
2929
- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
3030
- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)

README_zh.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,13 @@
1515
- [Actuators to RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/resources/logback-online.xml)
1616
- [CORS](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CORS.java)
1717
- [CRLF Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/CRLFInjection.java)
18-
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/WebSecurityConfig.java)
18+
- [CSRF](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/security/WebSecurityConfig.java)
1919
- [Deserialize](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Deserialize.java)
2020
- [Fastjson](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Fastjson.java)
2121
- [File Upload](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/FileUpload.java)
2222
- [IP Forge](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/IPForge.java)
2323
- [Java RMI](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/RMI/Server.java)
24-
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/JSONP.java)
24+
- [JSONP](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/jsonp/JSONP.java)
2525
- [RCE](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/Rce.java)
2626
- [SPEL](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SPEL.java)
2727
- [SQL Injection](https://github.com/JoyChou93/java-sec-code/blob/master/src/main/java/org/joychou/controller/SQLI.java)

src/main/java/org/joychou/CsrfAccessDeniedHandler.java renamed to src/main/java/org/joychou/security/CsrfAccessDeniedHandler.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
package org.joychou;
1+
package org.joychou.security;
22

33

44
import org.springframework.http.MediaType;
@@ -11,12 +11,12 @@
1111
import javax.servlet.http.HttpServletResponse;
1212
import java.io.IOException;
1313

14+
/**
15+
* Design csrf access denied page.
16+
*
17+
*/
1418
public class CsrfAccessDeniedHandler implements AccessDeniedHandler {
1519

16-
/**
17-
* Design csrf access denied page.
18-
*
19-
*/
2020
@Override
2121
public void handle(HttpServletRequest request, HttpServletResponse response,
2222
AccessDeniedException accessDeniedException) throws IOException, ServletException {

src/main/java/org/joychou/WebSecurityConfig.java renamed to src/main/java/org/joychou/security/WebSecurityConfig.java

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
1-
package org.joychou;
1+
package org.joychou.security;
22

3+
import org.springframework.beans.factory.annotation.Value;
34
import org.springframework.context.annotation.Configuration;
45
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
56
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -10,10 +11,18 @@
1011
import java.util.Arrays;
1112
import java.util.HashSet;
1213

14+
15+
/**
16+
* Congifure csrf
17+
*
18+
*/
1319
@EnableWebSecurity
1420
@Configuration
1521
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
1622

23+
@Value("${org.joychou.security.csrf}")
24+
private Boolean csrfSwitch; // get csrf switch in application.properties
25+
1726
RequestMatcher csrfRequestMatcher = new RequestMatcher() {
1827

1928
// 配置不需要CSRF校验的请求方式
@@ -23,6 +32,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
2332
@Override
2433
public boolean matches(HttpServletRequest request) {
2534
// return false表示不校验csrf
35+
if (!csrfSwitch) {
36+
return false;
37+
}
2638
return !this.allowedMethods.contains(request.getMethod());
2739
}
2840

src/main/java/org/joychou/security/secFilter.java renamed to src/main/java/org/joychou/security/jsonpFilter.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
*
1919
*/
2020
@WebFilter(filterName = "referSecCheck", urlPatterns = "/*")
21-
public class secFilter implements Filter {
21+
public class jsonpFilter implements Filter {
2222

2323
@Value("${org.joychou.security.jsonp}")
2424
private Boolean jsonpSwitch; // get application.properties configure

src/main/resources/application.properties

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11

22
# Spring Boot Actuator Vulnerable Config
33
management.security.enabled=false
4-
logging.config=classpath:logback-online.xml
4+
# logging.config=classpath:logback-online.xml
55

66
# jsonp check referer switch
7-
org.joychou.security.jsonp = true
7+
org.joychou.security.jsonp = true
8+
org.joychou.security.csrf = false

0 commit comments

Comments
 (0)