Disable CSRF for specific URLs SPA Spring Gateway WebFlux

334 Views Asked by Afrodeziak At 31 January 2022 at 09:05

I have next CSRF code in WebFilterChain:

            .csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
            .requireCsrfProtectionMatcher(getURLsForDisabledCSRF())

I would like to turn off the CSRF check on POST methods for several URLs. I have found NegatedServerWebExchangeMatcher, which allows doing next:

        return new NegatedServerWebExchangeMatcher(ServerWebExchangeMatchers.pathMatchers(
HttpMethod.POST, "/services/service1/api/some-post-endpoint1", 
"/services/service1/api/some-post-endpoint2");

So overall this code works, but when I'm trying to GET request login page or domain page, I will get 'Invalid CSRF' or 'Expected CSRF cannot be found'. Also after Spa tries to redirect me to index.html there will be 403 on this GET redirect the request, which says: Invalid CSRF or no CSRF presented.

Original Q&A

There are 1 best solutions below

Eleftheria Stein-Kousathana On 31 January 2022 at 09:46 BEST ANSWER

When setting the requireCsrfProtectionMatcher you override the default configuration which allows GET requests.

If you want to use both, you can return an AndServerWebExchangeMatcher from getURLsForDisabledCSRF that combines the default CSRF matcher and you custom matcher.

new AndServerWebExchangeMatcher(
    CsrfWebFilter.DEFAULT_CSRF_MATCHER,
    new NegatedServerWebExchangeMatcher(ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST,
        "/services/service1/api/some-post-endpoint1",
        "/services/service1/api/some-post-endpoint2"))
)

Disable CSRF for specific URLs SPA Spring Gateway WebFlux

There are 1 best solutions below

Related Questions in SPRING

Related Questions in SPRING-SECURITY

Related Questions in MICROSERVICES

Related Questions in CSRF

Related Questions in WEBFLUX

Trending Questions

Popular # Hahtags

Popular Questions