Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Security 3.2 CSRF disable for specific URLs

Tags:

spring-mvc

spring

spring-security

Enabled CSRF in my Spring MVC application using Spring security 3.2.

My spring-security.xml

<http>  <intercept-url pattern="/**/verify"  requires-channel="https"/>  <intercept-url pattern="/**/login*"  requires-channel="http"/>  ...  ...  <csrf /> </http>

Trying to disable CSRF for requests that contain 'verify' in request URL.

MySecurityConfig.java

@Configuration @EnableWebSecurity public class MySecurityConfig extends WebSecurityConfigurerAdapter {  private CsrfMatcher csrfRequestMatcher = new CsrfMatcher();  @Override public void configure(HttpSecurity http) throws Exception {      http.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher);  }  class CsrfMatcher implements RequestMatcher {     @Override     public boolean matches(HttpServletRequest request) {          if (request.getRequestURL().indexOf("verify") != -1)             return false;         else if (request.getRequestURL().indexOf("homePage") != -1)                      return false;          return true;     } }  }

Csrf filter validates CSRF token that is submitted from 'verify' and Invalid token exception (403) is thrown as I'm submitting request to https from http. How can I disable csrf token authentication in such a scenario ?

like image 957
Mahesh Avatar asked Mar 20 '14 05:03

Mahesh

People also ask

How do I disable CSRF token in Spring Security?

Disable using security configuration code The spring boot security application allows to configure the security details in a customized class that extends WebSecurityConfigurerAdapter class. The CSRF feature can be disabled using the code “ http. csrf(). disable ()”.

What does HTTP CSRF () Disable () do?

But till now in all our examples we had disabled CSRF. CSRF stands for Cross-Site Request Forgery. It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.

How do I disable CSRF in Spring Cloud Gateway?

As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below. CSRF protection is enabled by default with Java Configuration.

Should I disable CSRF Spring?

What is the real-life reason to disable it? The Spring documentation suggests: Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

1 Answers

I know this is not a direct answer, but people (as me) usually don't specify spring's version when searching for this kinds of questions. So, since spring security a method exists that lets ignore some routes:

The following will ensure CSRF protection ignores:

  1. Any GET, HEAD, TRACE, OPTIONS (this is the default)
  2. We also explicitly state to ignore any request that starts with "/sockjs/"
      http          .csrf()              .ignoringAntMatchers("/sockjs/**")              .and()          ...
like image 119
le0diaz Avatar answered Sep 22 '22 22:09

le0diaz
Sign in to Comment

Related questions

JPA Transient Annotation and JSON
When to use Spring prototype scope?
Spring-Kafka vs. Spring-Cloud-Stream (Kafka)
What kind of "EventBus" to use in Spring? Built-in, Reactor, Akka?
How to inject JPA EntityManager using spring
Difference between path and value attributes in @RequestMapping annotation
How to apply spring security filter only on secured endpoints?
Spring JDBC connection pool best practices
Spring MVC Annotated Controller Interface with @PathVariable
How to stop a scheduled task that was started using @Scheduled annotation?
When are connections returned to the connection pool with Spring JPA (Hibernate) Entity Manager?
What's the best way to get started with OSGI? [closed]
Can spring @Autowired Map?
receiving json and deserializing as List of object at spring mvc controller
Spring MongoDB query sorting
Is it problematic that Spring Data REST exposes entities via REST resources without using DTOs?
Spring + Hibernate: Query Plan Cache Memory usage
Difference between Spring annotations
Spring HATEOAS versus Spring Data Rest
Cannot load driver class: com.mysql.jdbc.Driver Spring

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!