search

oasp-forge / oasp4js-rev

The Open Application Standard Platform for JavaScript
http://oasp.github.io/
0 stars 2 forks source link

Disable Security at OASP4j (momentarily solution before migrating "Security Module") #20

Open cbeldacap opened 8 years ago

cbeldacap commented 8 years ago

Meaning

Due to the current state of the sample application, we've decided, just for now, before we understand how Security Module must work, to disable it so we can perform different HTTP operations. Applying this "solution" the server won't need to respond to an already logged user, and it will be possible to retrieve data lists from it.

Code Modification

It will be necessary to modify several files on the "oasp4j-sample-core" project.

BaseWebSecurityConfig.java --> (oasp4j-sample-core/src/main/java/io.oasp.gastronomy.restaurant/general/configuration/)

Enable CORS operations:

@Value("${security.cors.enabled}")
  boolean corsEnabled = true; // false -> true

Add REST operations' paths as usecured:

String[] unsecuredResources =
        new String[] { "/login", "/security/**", "/services/rest/login", "/services/rest/logout", "/services/rest/**" };

Comment the call to CsrfRequestMatcher:

// activate crsf check for a selection of urls (but not for login & logout)
// .csrf().requireCsrfProtectionMatcher(new CsrfRequestMatcher()).and()

Just right after that, disable CSRF

// disable CSRF filtering all together
.csrf().disable()

CsrfRequestMatcher.java --> (opas4j-sample-core/src/main/java/io/oasp/gastronomy/restaurant/general/common/impl/security)

Add paths without CSRF protection:

  // private static final String[] PATH_PREFIXES_WITHOUT_CSRF_PROTECTION =
  // { "/login", "/logout", "/services/rest/login", "/websocket" };

  private static final String[] PATH_PREFIXES_WITHOUT_CSRF_PROTECTION =
      { "/login", "/logout", "/services/rest/**", "/websocket" };

application.properties --> (oasp4j-sample-core/src/main/resources)

Enable CORS operations:

security.cors.enabled=true //false --> true

SpringBootApp.java --> (oasp4j-sample-core/src/main/java/io/oasp/gastronomy/restaurant/

// disable Global Security Method
@EnableGlobalMethodSecurity(jsr250Enabled = false)

Anyway, I put here how those 4 files should look like by the end of this configuration:

disabled_security_oasp4j.zip