Colin DAMON
--- a/borestop/src/main/java/com/ippon/borestop/config/SecurityConfiguration.java

+ 22

− 3
+++ b/borestop/src/main/java/com/ippon/borestop/config/SecurityConfiguration.java

+ 22

− 3
 package com.ippon.borestop.config;

 import com.ippon.borestop.common.infrastructure.Generated;
-import com.ippon.borestop.security.*;
-import com.ippon.borestop.security.jwt.*;
+import com.ippon.borestop.security.AuthoritiesConstants;
+import com.ippon.borestop.security.jwt.JWTConfigurer;
+import com.ippon.borestop.security.jwt.TokenProvider;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
 import org.springframework.http.HttpMethod;
 @@ -15,6 +16,10 @@ import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter;
 import org.springframework.web.filter.CorsFilter;
 import org.zalando.problem.spring.web.advice.security.SecurityProblemSupport;
 @@ -58,6 +63,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    // @formatter:off
        http
            .csrf()
+            .csrfTokenRepository(csrfTokenRepository())
            .disable()
            .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
            .exceptionHandling()
 @@ -91,10 +97,23 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
        .and()
            .httpBasic()
        .and()
-            .apply(securityConfigurerAdapter());
+            .apply(securityConfigurerAdapter())
+        .and()
+            .securityContext()
+                .securityContextRepository(securityContextRepository());
  // @formatter:on
  }

+  @Bean
+  public SecurityContextRepository securityContextRepository() {
+    return new HttpSessionSecurityContextRepository();
+  }
+
+  @Bean
+  public CsrfTokenRepository csrfTokenRepository() {
+    return CookieCsrfTokenRepository.withHttpOnlyFalse();
+  }
+
  private JWTConfigurer securityConfigurerAdapter() {
    return new JWTConfigurer(tokenProvider);
  }