How to disable csrf in spring security for only localhost?

Question

I have working spring boot application in which csrf is enabled but now I want to disable it only for localhost. any request from other domain must underpass csrf security but for localhost, I want to disable it. how can I achieve that?

I know how to disable it by changing

@Configuration
@EnableWebMvcSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf.disable();
    }
}

the above code disabled csrf but I want to disable csrf for the only localhost.

Can you please help me?

EDIT: I know how to do it by two profile. Thanks @daren for your detailed answer.

Answer 1

You could use Spring Profiles to achieve what you are looking to do.

https://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-profiles.html

At it's simplest you could have two configurations

@Configuration
@EnableWebMvcSecurity
@Profile("!deployed") //Not(!) deployed profile
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf.disable();
    }
}

And in deployed regions active the deployed profile.

@Configuration
@EnableWebMvcSecurity
@Profile("deployed")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf.enable();
    }
}

Depending on what security configuration you are doing you could do the inverse of this and active a local profile by default which would do the disabling.