diff --git a/.gitignore b/.gitignore index 549e00a2..2e9cba3d 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ target/ !.mvn/wrapper/maven-wrapper.jar !**/src/main/**/target/ !**/src/test/**/target/ +.DS_Store ### STS ### .apt_generated diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/MvcConfiguracao.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/MvcConfiguracao.java new file mode 100644 index 00000000..e1d8a623 --- /dev/null +++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/MvcConfiguracao.java @@ -0,0 +1,21 @@ +package br.com.caelum.carangobom.config.seguranca; + +import org.apache.tomcat.util.http.Rfc6265CookieProcessor; +import org.apache.tomcat.util.http.SameSiteCookies; +import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; + +@Configuration +public class MvcConfiguracao implements WebMvcConfigurer { + + @Bean + public TomcatContextCustomizer sameSiteCookiesConfig() { + return context -> { + final var cookieProcessor = new Rfc6265CookieProcessor(); + cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue()); + context.setCookieProcessor(cookieProcessor); + }; + } +} diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java index 2e8fe432..e6dbe23d 100644 --- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java +++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java @@ -16,6 +16,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.csrf.CookieCsrfTokenRepository; +import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; @@ -59,7 +60,7 @@ protected void configure(HttpSecurity http) throws Exception { .antMatchers(HttpMethod.POST, "/usuarios").permitAll() .antMatchers(HttpMethod.GET, "/veiculos").permitAll() .anyRequest().authenticated().and() - .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() + .csrf().csrfTokenRepository(getCsrfTokenRepository()).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .addFilterBefore(new AutenticacaoTokenFiltro(tokenService, usuarioRepository), UsernamePasswordAuthenticationFilter.class); } @@ -71,8 +72,7 @@ public void configure(WebSecurity web) throws Exception { } @Bean - CorsConfigurationSource corsConfigurationSource() - { + CorsConfigurationSource corsConfigurationSource() { var configuration = new CorsConfiguration(); configuration.addAllowedOrigin("https://carango-bom-withfliters-ui.herokuapp.com"); configuration.addAllowedHeader("*"); @@ -82,4 +82,10 @@ CorsConfigurationSource corsConfigurationSource() source.registerCorsConfiguration("/**", configuration); return source; } + + private CsrfTokenRepository getCsrfTokenRepository() { + var tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse(); + tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com/"); + return tokenRepository; + } }