Fix matrix security issue (#35)

levimdmiller · Feb 20, 2021 · 843679d · 843679d
1 parent 4c84621
commit 843679d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 14 deletions.
diff --git a/pom.xml b/pom.xml
@@ -11,7 +11,7 @@
   </parent>
   <groupId>ca.levimiller</groupId>
   <artifactId>sms-bridge</artifactId>
-  <version>0.2.1</version>
+  <version>0.2.2</version>
   <name>sms-bridge</name>
   <description>Sms Bridge for Matrix</description>
 

diff --git a/src/main/java/ca/levimiller/smsbridge/security/WebSecurityConfig.java b/src/main/java/ca/levimiller/smsbridge/security/WebSecurityConfig.java
@@ -9,10 +9,11 @@
 import org.springframework.core.Ordered;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
 
 @Configuration
+@EnableWebSecurity
 public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 
   private final Filter twilioAuthenticationFilter;
@@ -36,19 +37,21 @@ public void configure(WebSecurity web) {
   @Override
   protected void configure(HttpSecurity http) throws Exception {
     // No need for csrf between back end servers. (no cookies/basic auth)
-    http.csrf()
-        .ignoringAntMatchers("/matrix/**", "/attachment/**", "/twilio/**");
-
-    http.antMatcher("/attachment/**")
-        .addFilterAfter(twilioAuthenticationFilter, AnonymousAuthenticationFilter.class);
-
-    http.antMatcher("/twilio/**")
-        .addFilterAfter(twilioAuthenticationFilter, AnonymousAuthenticationFilter.class);
 
-    http.authorizeRequests()
-        .antMatchers("/twilio/**")
-        .authenticated()
+    http.csrf()
+        .ignoringAntMatchers("/matrix/**", "/attachment/**", "/twilio/**")
         .and()
-        .httpBasic();
+        .authorizeRequests()
+        .antMatchers("/matrix/**", "/attachment/**", "/twilio/**")
+        .permitAll();
+  }
+
+  @Bean
+  FilterRegistrationBean<Filter> twilioFilterRegistration() {
+    FilterRegistrationBean<Filter> registrationBean = new FilterRegistrationBean<>();
+    registrationBean.setFilter(twilioAuthenticationFilter);
+    registrationBean.addUrlPatterns("/attachment/*", "/twilio/*");
+    registrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); //set precedence
+    return registrationBean;
   }
 }