I am using Apereo CAS (formerly Jasig CAS) ( github here ). Then I create a very simple application in Vaadin that connects to CAS during authentication. Everything worked without problems until I turned on CSRF from Spring Security .
If CSRF is enabled, redirecting to the CAS login page works fine. But after successful authentication (login, passoword), CAS wants to redirect back to my application. Then I see the following:
{
"timestamp": 1498657046424,
"status": 403,
"error": "Forbidden",
"message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
"path": "/contextPath/"
}
I am using Spring Boot @EnableWebSecurity, so please take a look at the configuration from there:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(casAuthenticationFilter())
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
.exceptionHandling()
.authenticationEntryPoint(casAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated();
http.csrf().disable();
}
My question is:
How do I configure Spring Security so that CSRF works correctly with CAS authentication?
Spring Boot 1.5.4.RELEASE (maven parent) Vaadin 8.0.5 (BOM).