Commit 2c47208e authored by Matija Obreza's avatar Matija Obreza
Browse files

REST API should not require csrf tokens

parent 25b621ce
......@@ -89,6 +89,7 @@
<sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
<sec:expression-handler ref="oauthWebExpressionHandler" />
<sec:csrf disabled="true" />
</sec:http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
......
......@@ -22,18 +22,19 @@
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- <bean name="authUserDetailsService" class="org.genesys2.server.service.impl.AuthUserDetailsService" />
-->
<!--
<bean name="authUserDetailsService" class="org.genesys2.server.service.impl.AuthUserDetailsService" />
-->
<!-- Authentication manager -->
<bean name="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="authUserDetailsService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator" />
</bean>
......@@ -52,19 +53,19 @@
<!-- <intercept-url pattern="/data/**" access="isAuthenticated()" /> -->
<sec:intercept-url pattern="/admin/**" access="hasRole('ADMINISTRATOR')" />
<sec:intercept-url pattern="/profile**" access="isAuthenticated()" />
<sec:intercept-url pattern="/oauth/authorize" access="isAuthenticated()" />
<sec:intercept-url pattern="/oauth/authorize" access="isAuthenticated()" />
<!--Override default login and logout pages -->
<sec:form-login login-page="/login" authentication-failure-url="/login?error=1" login-processing-url="/login-attempt" default-target-url="/" always-use-default-target="false" />
<sec:session-management session-fixation-protection="migrateSession" />
<sec:session-management session-fixation-protection="migrateSession" />
<sec:logout logout-url="/logout" logout-success-url="/" />
<sec:access-denied-handler error-page="/access-denied" />
<sec:expression-handler ref="webExpressionHandler"/>
<sec:expression-handler ref="webExpressionHandler" />
<!--enable CSRF protection-->
<sec:csrf />
<!--enable CSRF protection-->
<sec:csrf />
</sec:http>
</beans>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment