Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to disable CSRF in Spring Security 4 only for specific URL pattern through XML configuration?

Tags:

spring-mvc

spring-security

How to disable CSRF in Spring Security 4 only for specific URL pattern through XML configuration?

Spring-security.xml

<security:http auto-config="true" use-expressions="true" pattern="/ext/**">
    <csrf disabled="true" />
</security:http>

<security:http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
    <security:intercept-url pattern="/auth/**" access="hasAnyRole('ROLE_USER')" />
    <security:form-login login-page="/login" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-url="/login" login-processing-url="/j_spring_security_check" />
    <security:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
</security:http>

My code works fine if I use only one security:http block, but after I add another block it throws error as below:

Error

Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire field: private org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter gov.in.controller.filter.LoginAdtAuthFailHdlr.usernamePasswordAuthenticationFilter; nested exception is org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] is defined: expected single matching bean but found 2: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#1
    at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:561)
    at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
    at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:331)
    ... 58 more
Caused by: org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] is defined: expected single matching bean but found 2: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#1
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1054)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:942)
    at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:533)
    ... 60 more
like image 741
ad-inf Avatar asked Aug 12 '15 09:08

ad-inf

2 Answers

Could not achieve with just XML changes. Below worked for me

Change in Spring-security.xml

<security:http  use-expressions="true" authentication-manager-ref="authenticationManager">
    <security:intercept-url pattern="/auth/**" access="hasAnyRole('ROLE_USER')" />
    <security:form-login login-page="/login" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-url="/login" login-processing-url="/j_spring_security_check" />
    <security:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />

    <security:csrf request-matcher-ref="csrfSecurityRequestMatcher"  />
</security:http>

CsrfSecurityRequestMatcher 

public class CsrfSecurityRequestMatcher implements RequestMatcher {
    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
    private RegexRequestMatcher unprotectedMatcher = new RegexRequestMatcher("/ext/**", null);

    @Override
    public boolean matches(HttpServletRequest request) {          
        if(allowedMethods.matcher(request.getMethod()).matches()){
            return false;
        }
        return !unprotectedMatcher.matches(request);
    }
}
like image 142
ad-inf Avatar answered Oct 23 '22 22:10

ad-inf

You can have two (or more) filter chains:

<http pattern="/your-specific/**">
  <!-- ... -->
  <csrf disabled="true"/>
</http>
<http>
  <!-- ... -->
</http>
like image 23
holmis83 Avatar answered Oct 23 '22 21:10

holmis83
Sign in to Comment

Related questions

SpringBoot JPA Interface's save() and delete() not working with ArrayList or Long
Request parameters in Freemarker on Spring 2.5
Pass a request parameter in Spring MVC 3
JSR-303 validation with custom message
Accessing my custom user object in jsp page, using spring 3 security
Passing parameters in redirect view Spring MVC
Confusion about how java web session handeling works. Demystifying Cookies and Header differences using servlet api and HttpSession object
Java, Spring, Apache Tiles error : Could not resolve view with name 'index' in servlet with name 'dispatcher'
Spring simply rendering an html page
How to mark Spring MVC params as required
HTTP Status 500 - Servlet.init() for servlet fitTrackerServlet threw exception
How to set a local variable in application-context.xml to represent a repeating value?
Can a Spring MVC app be multithreaded even if its servlets are not?
Spring MVC form:errors using Ajax
how to debug Spring MVC application on Spring Source Tool Suite
Passing multiple parameters from view to controller in spring mvc
Spring MVC form validation not working
the request sent by the client was syntactically incorrect when sending post requests
Return a static html without redirect in Spring
java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurityManager

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!