-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF (Cross Site Request Forgery) Protection #1826
Conversation
security-csrf/src/main/java/io/micronaut/security/csrf/filter/CsrfFilter.java
Outdated
Show resolved
Hide resolved
} | ||
|
||
boolean shouldTheFilterProcessTheRequestAccordingToTheUriMatch(String uri) { | ||
boolean matches = PathMatcher.REGEX.matches(csrfFilterConfiguration.getRegexPattern(), uri); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Compile the pattern and store in a field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That it is what RegexPathMatcher
does. It stores it in a concurrent hash map.
security-csrf/src/main/java/io/micronaut/security/csrf/filter/CsrfFilter.java
Show resolved
Hide resolved
} | ||
|
||
@Override | ||
public String getRegexPattern() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe have the property named regex
and regexPattern
will return an instance of Pattern
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the name regex-pattern
is appropriate. I want to convey is the pattern used for the filter. And I want to convey it is a regular expression not an ant pattern.
The patterns this filter should match
security-csrf/src/main/java/io/micronaut/security/csrf/generator/CsrfHmacTokenGenerator.java
Show resolved
Hide resolved
...rity-csrf/src/main/java/io/micronaut/security/csrf/session/HttpSessionSessionIdResolver.java
Outdated
Show resolved
Hide resolved
...ty-csrf/src/main/java/io/micronaut/security/csrf/validator/RepositoryCsrfTokenValidator.java
Outdated
Show resolved
Hide resolved
...src/main/java/io/micronaut/security/token/jwt/validator/JsonWebTokenIdSessionIdResolver.java
Outdated
Show resolved
Hide resolved
security-session/src/main/java/io/micronaut/security/session/DefaultSessionPopulator.java
Outdated
Show resolved
Hide resolved
security/src/main/java/io/micronaut/security/session/CompositeSessionIdResolver.java
Outdated
Show resolved
Hide resolved
Quality Gate passedIssues Measures |
After this PR gets merged, I will do a PR in Views to add a ViewModelProcessor which adds the CSRF token to the views seamlessly. I will also explore add it to the form generation api.