hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 01:54:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(#9774): Restore eager loading for CSRF tokens

Browse Source 
(cherry picked from commit 36192794d9)
This commit is contained in:
JohnnyMendesC
2025-08-12 17:20:49 -03:00
committed by github-actions[bot]
parent e94d483c86
commit 4468e2c699
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
dspace-server-webapp/src/main/java/org/dspace/app/rest/security/WebSecurityConfiguration.java
View File

@@ -88,6 +88,17 @@ public class WebSecurityConfiguration {
// Get the current AuthenticationManager (defined above) to apply filters below
AuthenticationManager authenticationManager = authenticationManager();
// Create a custom CsrfTokenRequestHandler to restore the eager loading of the CSRF token.
// In DSpace 8+, the upgrade to Spring Security 6 changed the default behavior to "deferred loading",
// which meant the DSPACE-XSRF-TOKEN was no longer automatically sent on most GET requests.
// This was a breaking change for REST API clients expecting the DSpace 7.x behavior.
// <P>
// By setting the csrfRequestAttributeName to null, we explicitly opt-out of deferred loading and
// force Spring Security to load the token on every request, restoring the old functionality.
// This resolves https://github.com/DSpace/DSpace/issues/9774
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
requestHandler.setCsrfRequestAttributeName(null);
// Configure authentication requirements for ${dspace.server.url}/api/ URL only
// NOTE: REST API is hardcoded to respond on /api/. Other modules (OAI, SWORD, IIIF, etc) use other root paths.
http.securityMatcher("/api/**", "/iiif/**", actuatorBasePath + "/**", "/signposting/**")
@@ -118,7 +129,7 @@ public class WebSecurityConfiguration {
// See https://github.com/DSpace/DSpace/issues/9450
// NOTE: DSpace doesn't need BREACH protection as it's only necessary when sending the token via a
// request attribute (e.g. "_csrf") which the DSpace UI never does.
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()))
.csrfTokenRequestHandler(requestHandler))
.exceptionHandling((exceptionHandling) -> exceptionHandling
// Return 401 on authorization failures with a correct WWWW-Authenticate header
.authenticationEntryPoint(new DSpace401AuthenticationEntryPoint(restAuthenticationService))