You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We should see if we can remove CSRF exception for /logout.
Why?
To improve overall security.
How?
Two possibilities:
a) I think if we modified by pass-ui to do a post to /logout instead of a get, we could get rid of the exception.
b) Otherwise if we wanted to get rid of ignoreingRequestMatchers, we would have to modify requireCsrfProtectionMatcher as you suggest. I can't quite remember how different request matchers get joined and what takes precedence. In the worst case you would have to just duplicate the default csrf matcher with our exceptions added in.
Acceptance Criteria
ignoreingRequestMatchers is removed from pass-core SecurityConfiguration and logout works from pass.
What?
We should see if we can remove CSRF exception for
/logout.Why?
To improve overall security.
How?
Two possibilities:
a) I think if we modified by pass-ui to do a post to /logout instead of a get, we could get rid of the exception.
b) Otherwise if we wanted to get rid of
ignoreingRequestMatchers, we would have to modifyrequireCsrfProtectionMatcheras you suggest. I can't quite remember how different request matchers get joined and what takes precedence. In the worst case you would have to just duplicate the default csrf matcher with our exceptions added in.Acceptance Criteria
ignoreingRequestMatchersis removed from pass-core SecurityConfiguration and logout works from pass.Related Issues
https://sonarcloud.io/project/security_hotspots?id=eclipse-pass_pass-core&hotspots=AZPZytbAAdeY80wzvC1F
The text was updated successfully, but these errors were encountered: