Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to handle security.enable-csrf in Spring Boot 2?

I'm migrating an application from Spring Boot 1.5 to 2.0.5. I have a property set as security.enable-csrf=true in 1.5 version which is not available in 2.0 version of Spring Boot.

I read the documents and it is said that in Spring Boot 2.0:

CSRF protection is enabled by default in the Java configuration.

So by default it is enabled ok fine, but there is also one class created which extends WebSecurityConfigurerAdapter this means Spring Boot default security configuration has been turned off. Is this also means security.enable-csrf is disabled now?

If yes how do I enable it like I had it in the application for 1.5 version.

I didn't get any document which gives a clear confirmation on how to handle security.enable-csrf property in Spring Boot 2.0 and while declaring the WebSecurityConfigurerAdapter.

Does anyone know about it? Also any document link which I have missed to read about this would be great help.

like image 586
tyro Avatar asked Sep 25 '18 12:09

tyro


People also ask

How do you resolve CSRF in spring boot?

To protect against CSRF attacks we need to ensure there is something in the request that the evil site is unable to provide. One solution is to use the Synchronizer Token Pattern. This solution is to ensure that each request requires, in addition to our session cookie, a randomly generated token as an HTTP parameter.

Is CSRF enabled by default in Spring Security?

Configure CSRF Protection The next step is to configure Spring Security's CSRF protection within your application. Spring Security's CSRF protection is enabled by default, but you may need to customize the configuration.

Should I disable CSRF Spring Security?

What is the real-life reason to disable it? The Spring documentation suggests: Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.


1 Answers

In order to have backward compatibility with the property already been set in you application, security.enable-csrf=true, you can use the following code:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Value("${security.enable-csrf}")
    private boolean csrfEnabled;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (!csrfEnabled) {
            http.csrf().disable();
        }
    }
}

As you might guess the magic comes from http.csrf().disable(); that in the above code you can control enabling/disabling it by the property you have set in you application.properties file.


More Info:

For more details you can also refer to the spring documents:

  • https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf
like image 110
MohammadReza Alagheband Avatar answered Sep 28 '22 08:09

MohammadReza Alagheband