How to handle security.enable-csrf in Spring Boot 2?

Question

I'm migrating an application from Spring Boot 1.5 to 2.0.5. I have a property set as security.enable-csrf=true in 1.5 version which is not available in 2.0 version of Spring Boot.

I read the documents and it is said that in Spring Boot 2.0:

CSRF protection is enabled by default in the Java configuration.

So by default it is enabled ok fine, but there is also one class created which extends WebSecurityConfigurerAdapter this means Spring Boot default security configuration has been turned off. Is this also means security.enable-csrf is disabled now?

If yes how do I enable it like I had it in the application for 1.5 version.

I didn't get any document which gives a clear confirmation on how to handle security.enable-csrf property in Spring Boot 2.0 and while declaring the WebSecurityConfigurerAdapter.

Does anyone know about it? Also any document link which I have missed to read about this would be great help.

Answer 1

In order to have backward compatibility with the property already been set in you application, security.enable-csrf=true, you can use the following code:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Value("${security.enable-csrf}")
    private boolean csrfEnabled;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (!csrfEnabled) {
            http.csrf().disable();
        }
    }
}

As you might guess the magic comes from http.csrf().disable(); that in the above code you can control enabling/disabling it by the property you have set in you application.properties file.

---

More Info:

For more details you can also refer to the spring documents:

• https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf