dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feature: enable CORS configuration (#1771)

Browse Source
This commit is contained in:
Nanne Baars 2024-03-17 10:55:27 +01:00 committed by GitHub
parent c18430752a
commit 62931a1836
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/main/java/org/owasp/webgoat/container/WebSecurityConfig.java
View File

@ -30,6 +30,7 @@
*/ */
package org.owasp.webgoat.container; package org.owasp.webgoat.container;
import java.util.List;
import lombok.AllArgsConstructor; import lombok.AllArgsConstructor;
import org.owasp.webgoat.container.users.UserService; import org.owasp.webgoat.container.users.UserService;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
@ -43,6 +44,9 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
/** Security configuration for WebGoat. */ /** Security configuration for WebGoat. */
@Configuration @Configuration
@ -83,6 +87,7 @@ public class WebSecurityConfig {
oidc.loginPage("/login"); oidc.loginPage("/login");
}) })
.logout(logout -> logout.deleteCookies("JSESSIONID").invalidateHttpSession(true)) .logout(logout -> logout.deleteCookies("JSESSIONID").invalidateHttpSession(true))
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
.csrf(csrf -> csrf.disable()) .csrf(csrf -> csrf.disable())
.headers(headers -> headers.disable()) .headers(headers -> headers.disable())
.exceptionHandling( .exceptionHandling(
@ -91,6 +96,17 @@ public class WebSecurityConfig {
.build(); .build();
} }
private CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.addAllowedOriginPattern(CorsConfiguration.ALL);
configuration.setAllowedMethods(List.of(CorsConfiguration.ALL));
configuration.setAllowedHeaders(List.of(CorsConfiguration.ALL));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Autowired @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService); auth.userDetailsService(userDetailsService);