Skip to content

Commit

Permalink
Disable Spring Security CSRF BREACH protection as it's unnecessary fo…
Browse files Browse the repository at this point in the history
…r DSpace & causes our token to grow on each request.
  • Loading branch information
tdonohue committed Apr 5, 2024
1 parent 96d1385 commit 5a1c3c8
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 67 deletions.

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

/**
Expand Down Expand Up @@ -112,7 +113,12 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
.csrf((csrf) -> csrf
.csrfTokenRepository(this.csrfTokenRepository())
.sessionAuthenticationStrategy(this.dSpaceCsrfAuthenticationStrategy())
.csrfTokenRequestHandler(new DSpaceCsrfTokenRequestHandler()))
// Disable SpringSecurity BREACH protection, as this is not working well with Cookie-based storage.
// When enabled, BREACH protection causes the CSRF token to grow in size until UI errors occur.
// See https://github.com/DSpace/DSpace/issues/9450
// NOTE: DSpace doesn't need BREACH protection as it's only necessary when sending the token via a
// request attribute (e.g. "_csrf") which the DSpace UI never does.
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()))
.exceptionHandling((exceptionHandling) -> exceptionHandling
// Return 401 on authorization failures with a correct WWWW-Authenticate header
.authenticationEntryPoint(new DSpace401AuthenticationEntryPoint(restAuthenticationService))
Expand Down

0 comments on commit 5a1c3c8

Please sign in to comment.