Customize csrf cookie domain (#7184)

* Update the csrfTokenRepo bean so we can configure the cookie domain * Use the factory method to set the httpcookie setting
ORCID · Jan 16, 2025 · 12d379a · 12d379a
1 parent c9aef14
commit 12d379a
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/orcid-web/src/main/resources/orcid-frontend-security.xml b/orcid-web/src/main/resources/orcid-frontend-security.xml
@@ -98,10 +98,12 @@
             </bean>
         </property>
     </bean>
-
-    <bean id="csrfTokenRepo" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository" factory-method="withHttpOnlyFalse" />
-
-    	<sec:http-firewall ref="httpFirewall"/>
+
+	<bean id="csrfTokenRepo" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository" factory-method="withHttpOnlyFalse">
+		<property name="cookieDomain" value="${org.orcid.core.csrf.domain}" />
+	</bean>
+
+	<sec:http-firewall ref="httpFirewall"/>
 
 	<sec:http pattern="/robots.txt" security="none" create-session="stateless" />
 	<sec:http pattern="/tomcatUp.json" security="none" create-session="stateless" />