_Bastler/we.bstly-back
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

fix 2fa session

Browse Source
This commit is contained in:
_Bastler 2023-12-12 17:12:06 +01:00
parent 5f5d505892
commit f11e2fde88
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
core/src/main/java/de/bstly/we/security/SecurityConfig.java
View File

@ -95,9 +95,7 @@ public class SecurityConfig {
.sessionManagement((anonymous) -> anonymous.sessionCreationPolicy(SessionCreationPolicy.ALWAYS) .sessionManagement((anonymous) -> anonymous.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.sessionAuthenticationStrategy(new SessionFixationProtectionStrategy())) .sessionAuthenticationStrategy(new SessionFixationProtectionStrategy()))
// disable deprectated xss protection, x-frame // disable deprectated xss protection, x-frame
.headers((headers) -> headers.xssProtection((xssProtection) -> xssProtection.disable()) .headers((headers) -> headers.xssProtection((xssProtection) -> xssProtection.disable()))
.frameOptions((frameOptions) -> frameOptions.disable()
.referrerPolicy((referrerPolicy) -> referrerPolicy.policy(ReferrerPolicy.UNSAFE_URL))))
// form login // form login
.formLogin((formLogin) -> formLogin.loginPage(loginUrl).usernameParameter("username") .formLogin((formLogin) -> formLogin.loginPage(loginUrl).usernameParameter("username")
.passwordParameter("password") .passwordParameter("password")
@ -119,8 +117,13 @@ public class SecurityConfig {
.exceptionHandling( .exceptionHandling(
(exceptionHandling) -> exceptionHandling.accessDeniedHandler(localAccessDeniedHandler) (exceptionHandling) -> exceptionHandling.accessDeniedHandler(localAccessDeniedHandler)
.authenticationEntryPoint(localAuthenticationEntryPoint())) .authenticationEntryPoint(localAuthenticationEntryPoint()))
// x-frame
.headers((headers) -> headers.frameOptions((frameOptions) -> frameOptions.disable()
.referrerPolicy((referrerPolicy) -> referrerPolicy.policy(ReferrerPolicy.UNSAFE_URL))))
// crsf // crsf
.csrf((csrf) -> csrf.disable()); .csrf((csrf) -> csrf.disable())
// TODO: update
.securityContext((securityContext) -> securityContext.requireExplicitSave(false));
if (disableCors) { if (disableCors) {
http.cors((cors) -> cors.disable()); http.cors((cors) -> cors.disable());