#4975 - Cancelling background jobs no longer works

- Change the way that CSRF is not applied to Wicket UI calls but still register Spring CSRF token in the request - Update some of the Spring Security configuration to non-deprecated calls
inception-project · Aug 5, 2024 · 44c8442 · 44c8442
1 parent 0aa37fd
commit 44c8442
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 10 deletions.
diff --git a/.../tudarmstadt/ukp/inception/app/config/InceptionSecurityWebUIBuiltInAutoConfiguration.java b/.../tudarmstadt/ukp/inception/app/config/InceptionSecurityWebUIBuiltInAutoConfiguration.java
@@ -42,6 +42,8 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 
 import de.tudarmstadt.ukp.inception.security.oauth.OAuth2Adapter;
 import de.tudarmstadt.ukp.inception.security.saml.Saml2Adapter;
@@ -60,8 +62,20 @@ public SecurityFilterChain webUiFilterChain(HttpSecurity aHttp,
             Optional<RelyingPartyRegistrationRepository> aRelyingPartyRegistrationRepository)
         throws Exception
     {
-        aHttp.csrf().disable();
-        aHttp.headers().frameOptions().sameOrigin();
+        aHttp.csrf(csrf -> {
+            // Instead of disabling the Spring CSRF filter, we just disable the CSRF validation for
+            // the Wicket UI (Wicket has its own CSRF mechanism). This way, Spring will still
+            // populate the CSRF token attribute in the request which we will need later when we
+            // need to provide the token to the JavaScript code in the browser to make callbacks to
+            // Spring MVC controllers.
+            csrf.requireCsrfProtectionMatcher(
+                    new NegatedRequestMatcher(AnyRequestMatcher.INSTANCE));
+        });
+        aHttp.headers(headers -> {
+            headers.frameOptions(frameOptions -> {
+                frameOptions.sameOrigin();
+            });
+        });
 
         var authorizations = aHttp.authorizeHttpRequests();
         authorizations.requestMatchers("/login.html*").permitAll();

diff --git a/...ecurity/src/main/java/de/tudarmstadt/ukp/clarin/webanno/security/WicketSecurityUtils.java b/...ecurity/src/main/java/de/tudarmstadt/ukp/clarin/webanno/security/WicketSecurityUtils.java
@@ -19,6 +19,7 @@
 
 import org.apache.wicket.protocol.http.servlet.ServletWebRequest;
 import org.apache.wicket.request.cycle.RequestCycle;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -30,6 +31,12 @@ public static String getCsrfTokenFromSession()
     {
         var httpRequest = (HttpServletRequest) RequestCycle.get().getRequest()
                 .getContainerRequest();
+
+        var token = (CsrfToken) httpRequest.getAttribute("_csrf");
+        if (token != null) {
+            return token.getToken();
+        }
+
         var httpResponse = (HttpServletResponse) RequestCycle.get().getResponse()
                 .getContainerResponse();
 

diff --git a/...tudarmstadt/ukp/inception/security/config/InceptionSecurityWebUIApiAutoConfiguration.java b/...tudarmstadt/ukp/inception/security/config/InceptionSecurityWebUIApiAutoConfiguration.java
@@ -71,14 +71,21 @@ public SecurityFilterChain uiViewFilterChain(HttpSecurity aHttp) throws Exceptio
 
     private void commonConfiguration(HttpSecurity aHttp) throws Exception
     {
-        aHttp.authorizeHttpRequests() //
-                .requestMatchers("/**").hasAnyRole("USER") //
-                .anyRequest().denyAll();
-        aHttp.sessionManagement().sessionCreationPolicy(NEVER);
-        aHttp.exceptionHandling() //
-                .defaultAuthenticationEntryPointFor( //
-                        new Http403ForbiddenEntryPoint(), //
-                        new AntPathRequestMatcher("/**"));
+        aHttp.authorizeHttpRequests(authorizeHttpRequests -> {
+            authorizeHttpRequests //
+                    .requestMatchers("/**").hasAnyRole("USER") //
+                    .anyRequest().denyAll();
+        });
+
+        aHttp.sessionManagement(sessionManagement -> {
+            sessionManagement.sessionCreationPolicy(NEVER);
+        });
+
+        aHttp.exceptionHandling(exceptionHandling -> {
+            exceptionHandling.defaultAuthenticationEntryPointFor( //
+                    new Http403ForbiddenEntryPoint(), //
+                    new AntPathRequestMatcher("/**"));
+        });
 
     }
 }