Spring -cloud: disable CSRF

Question

Spring -cloud: disable CSRF

Tried to disable CSRF in edge / zuul with http.csrf().disable(). But still csrfFilter is available in the @position 4 filter chain. I even set the property spring.enableCsrf: false. However, csrfFilter starts and my ajax requests get a 403 error.

How to disable CSRF with Zuul and an external OAuth server (UAA)?

+4

spring-boot spring-cloud-netflix

Ahamed Mustafa M Oct 30 '16 at 9:24

source share

1 answer

Sudhakar · Answer 1 · 2017-07-06T06:00:31+0000

Configure CSRF protection Some frameworks process invalid CSRF tokens, closing the user session, but this causes problems. Instead, by default, Spring Protection CSRF protection will result in HTTP 403 access denial. This can be configured by setting the AccessDeniedHandler to handle an InvalidCsrfTokenException in different ways.

As with Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you want to disable CSRF protection, the corresponding XML configuration can be seen below.

<http>
    <!-- ... -->
    <csrf disabled="true"/>
</http>

CSRF protection is enabled by default using Java Configuration. If you want to disable CSRF, the corresponding Java configuration can be seen below. See Javadoc csrf () for additional configuration in setting up CSRF protection.

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .csrf().disable();
}
}

Spring -cloud: disable CSRF

More articles: