From e2e63c6794438290023990aaf10a0a620119ec38 Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Fri, 9 Jul 2021 18:53:56 -0300
Subject: [PATCH 1/9] =?UTF-8?q?Configura=C3=A7=C3=A3o=20de=20Same=20Site?=
 =?UTF-8?q?=20para=20abilitar=20consultar=20de=20CSRF=20na=20cache?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../config/seguranca/MvcConfiguracao.java     | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 src/main/java/br/com/caelum/carangobom/config/seguranca/MvcConfiguracao.java

diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/MvcConfiguracao.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/MvcConfiguracao.java
new file mode 100644
index 00000000..e1d8a623
--- /dev/null
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/MvcConfiguracao.java
@@ -0,0 +1,21 @@
+package br.com.caelum.carangobom.config.seguranca;
+
+import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
+import org.apache.tomcat.util.http.SameSiteCookies;
+import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class MvcConfiguracao implements WebMvcConfigurer {
+
+    @Bean
+    public TomcatContextCustomizer sameSiteCookiesConfig() {
+        return context -> {
+            final var cookieProcessor = new Rfc6265CookieProcessor();
+            cookieProcessor.setSameSiteCookies(SameSiteCookies.NONE.getValue());
+            context.setCookieProcessor(cookieProcessor);
+        };
+    }
+}

From 757cfccceb8904c42acdadb0f4d3d222ec82f9dd Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Fri, 9 Jul 2021 19:17:21 -0300
Subject: [PATCH 2/9] =?UTF-8?q?Modifica=20o=20dom=C3=ADnio=20do=20cookie?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/main/resources/application.properties | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 5fe12051..08092f70 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,6 +9,10 @@ spring.jpa.hibernate.ddl-auto = update
 spring.jpa.properties.hibernate.show_sql = true
 spring.jpa.properties.hibernate.format_sql = true
 
+server.servlet.session.cookie.domain=https://carango-bom-withfliters-ui.herokuapp.com/
+server.servlet.session.cookie.http-only=false
+server.servlet.session.cookie.path=/
+
 # JACKSON CONFIGS
 spring.jackson.serialization.fail-on-empty-beans=false
 

From 3e4570028218c737d42b626f3447142fcaa89b57 Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Fri, 9 Jul 2021 19:32:37 -0300
Subject: [PATCH 3/9] =?UTF-8?q?Atualiza=C3=A7=C3=A3o=20de=20dom=C3=ADnio?=
 =?UTF-8?q?=20do=20cookie=20de=20resposta?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../carangobom/config/seguranca/SegurancaConfig.java   | 10 +++++++++-
 src/main/resources/application.properties              |  4 ----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
index 2e8fe432..46a4af81 100644
--- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
@@ -16,6 +16,7 @@
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -59,7 +60,7 @@ protected void configure(HttpSecurity http) throws Exception {
 			.antMatchers(HttpMethod.POST, "/usuarios").permitAll()
 			.antMatchers(HttpMethod.GET, "/veiculos").permitAll()
 			.anyRequest().authenticated().and()
-				.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
+				.csrf().csrfTokenRepository(getCsrfTokenRepository()).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
 				.addFilterBefore(new AutenticacaoTokenFiltro(tokenService, usuarioRepository), UsernamePasswordAuthenticationFilter.class);
 	}
 	
@@ -82,4 +83,11 @@ CorsConfigurationSource corsConfigurationSource()
 		source.registerCorsConfiguration("/**", configuration);
 		return source;
 	}
+
+	private CsrfTokenRepository getCsrfTokenRepository() {
+		var tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
+		tokenRepository.setCookiePath("/");
+		tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com");
+		return tokenRepository;
+	}
 }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 08092f70..5fe12051 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -9,10 +9,6 @@ spring.jpa.hibernate.ddl-auto = update
 spring.jpa.properties.hibernate.show_sql = true
 spring.jpa.properties.hibernate.format_sql = true
 
-server.servlet.session.cookie.domain=https://carango-bom-withfliters-ui.herokuapp.com/
-server.servlet.session.cookie.http-only=false
-server.servlet.session.cookie.path=/
-
 # JACKSON CONFIGS
 spring.jackson.serialization.fail-on-empty-beans=false
 

From 55efb1f94bc089d0c9767d880e1192a96f1dbf74 Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Sun, 11 Jul 2021 23:18:36 -0300
Subject: [PATCH 4/9] Checando cookies

---
 .../caelum/carangobom/config/seguranca/SegurancaConfig.java  | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
index 46a4af81..eb975bc6 100644
--- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
@@ -72,8 +72,7 @@ public void configure(WebSecurity web) throws Exception {
 	}
 
 	@Bean
-	CorsConfigurationSource corsConfigurationSource()
-	{
+	CorsConfigurationSource corsConfigurationSource() {
 		var configuration = new CorsConfiguration();
 		configuration.addAllowedOrigin("https://carango-bom-withfliters-ui.herokuapp.com");
 		configuration.addAllowedHeader("*");
@@ -86,8 +85,6 @@ CorsConfigurationSource corsConfigurationSource()
 
 	private CsrfTokenRepository getCsrfTokenRepository() {
 		var tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
-		tokenRepository.setCookiePath("/");
-		tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com");
 		return tokenRepository;
 	}
 }

From f57faf7f0598e3cfe866c9104e3bb47be36bf942 Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Sun, 11 Jul 2021 23:34:41 -0300
Subject: [PATCH 5/9] Testando com ui

---
 .../com/caelum/carangobom/config/seguranca/SegurancaConfig.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
index eb975bc6..3792e382 100644
--- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
@@ -85,6 +85,7 @@ CorsConfigurationSource corsConfigurationSource() {
 
 	private CsrfTokenRepository getCsrfTokenRepository() {
 		var tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
+		tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com");
 		return tokenRepository;
 	}
 }

From 167bc70dd84ca8172581fa2397bd5cd185744f5f Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Sun, 11 Jul 2021 23:42:27 -0300
Subject: [PATCH 6/9] Tentando sem CORS

---
 .../com/caelum/carangobom/config/seguranca/SegurancaConfig.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
index 3792e382..f8aa6482 100644
--- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
@@ -22,6 +22,7 @@
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 import java.util.Arrays;
+import java.util.Collections;
 
 @EnableWebSecurity
 @Configuration
@@ -76,6 +77,7 @@ CorsConfigurationSource corsConfigurationSource() {
 		var configuration = new CorsConfiguration();
 		configuration.addAllowedOrigin("https://carango-bom-withfliters-ui.herokuapp.com");
 		configuration.addAllowedHeader("*");
+		configuration.setAllowedOrigins(Collections.singletonList("no-cors"));
 		configuration.setAllowCredentials(true);
 		configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE"));
 		var source = new UrlBasedCorsConfigurationSource();

From 61db2d8bab605cdab14b007d28b8df92d32902f7 Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Mon, 12 Jul 2021 09:46:49 -0300
Subject: [PATCH 7/9] =?UTF-8?q?Configura=C3=A7=C3=A3o=20de=20autentica?=
 =?UTF-8?q?=C3=A7=C3=A3o=20CSRF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitignore                                                     | 1 +
 .../caelum/carangobom/config/seguranca/SegurancaConfig.java    | 3 ---
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index 549e00a2..2e9cba3d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@ target/
 !.mvn/wrapper/maven-wrapper.jar
 !**/src/main/**/target/
 !**/src/test/**/target/
+.DS_Store
 
 ### STS ###
 .apt_generated
diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
index f8aa6482..eb975bc6 100644
--- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
@@ -22,7 +22,6 @@
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
 import java.util.Arrays;
-import java.util.Collections;
 
 @EnableWebSecurity
 @Configuration
@@ -77,7 +76,6 @@ CorsConfigurationSource corsConfigurationSource() {
 		var configuration = new CorsConfiguration();
 		configuration.addAllowedOrigin("https://carango-bom-withfliters-ui.herokuapp.com");
 		configuration.addAllowedHeader("*");
-		configuration.setAllowedOrigins(Collections.singletonList("no-cors"));
 		configuration.setAllowCredentials(true);
 		configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE"));
 		var source = new UrlBasedCorsConfigurationSource();
@@ -87,7 +85,6 @@ CorsConfigurationSource corsConfigurationSource() {
 
 	private CsrfTokenRepository getCsrfTokenRepository() {
 		var tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
-		tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com");
 		return tokenRepository;
 	}
 }

From 2c4f5b63d40bd3e459a24003fc324b9b009e0125 Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Mon, 12 Jul 2021 09:53:28 -0300
Subject: [PATCH 8/9] Set cookie domain

---
 .../com/caelum/carangobom/config/seguranca/SegurancaConfig.java  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
index eb975bc6..3792e382 100644
--- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
@@ -85,6 +85,7 @@ CorsConfigurationSource corsConfigurationSource() {
 
 	private CsrfTokenRepository getCsrfTokenRepository() {
 		var tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
+		tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com");
 		return tokenRepository;
 	}
 }

From d27aa4c632f733bf12841d96b5b15f98b10f2d34 Mon Sep 17 00:00:00 2001
From: Rodolfo Ferreira <rodolfoandreferreira@gmail.com>
Date: Mon, 12 Jul 2021 09:54:31 -0300
Subject: [PATCH 9/9] Adicionado dominio quando enviar cookie

---
 .../com/caelum/carangobom/config/seguranca/SegurancaConfig.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
index 3792e382..e6dbe23d 100644
--- a/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
+++ b/src/main/java/br/com/caelum/carangobom/config/seguranca/SegurancaConfig.java
@@ -85,7 +85,7 @@ CorsConfigurationSource corsConfigurationSource() {
 
 	private CsrfTokenRepository getCsrfTokenRepository() {
 		var tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
-		tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com");
+		tokenRepository.setCookieDomain("https://carango-bom-withfliters-ui.herokuapp.com/");
 		return tokenRepository;
 	}
 }