stackoom
  简体   繁体   中英

Spring Boot Security and Auth0 - Cannot disable CSRF

 原文  2016-04-02 03:06:38       java/ spring/ security/ reactjs/ spring-security

Question

I am building a RESTful Spring Boot and React/Alt application. I want to add spring security to make sure that there could be no unauthenticated requests to the API.

I am using Auth0 for an authentication provider so users can log in to the application and more specifically the spring-security-auth0 library to handle the server side security side of things. https://github.com/auth0/spring-security-auth0

After following the basic tutorial on Auth0, I have configured the security config in my spring application so that requests to the API will not work without a JSON web token. This works, but there are some endpoints (those that need a POST) in the controllers that don't. I get this error in Chrome devtools - 

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

I understand that there are no CSRF headers present and that is why it isn't working. But the main reason I am confused is because I have disabled CSRF and it still happens. As the spring docs instruct, I've done this - 

@Configuration
@EnableWebSecurity
@ComponentScan("com.auth0")
@ImportResource("classpath:auth0-security-context.xml")
@PropertySource("classpath:auth0.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }

I don't need CSRF in this case as the app will only ever be used in a dev environment. Why does this still happen even though I have disabled CSRF completely?

1 answers

solution1
 0 ACCPTED  2016-04-02 15:55:58

The CsrfFilter that is responsible for the Exception is definetly enabled. This can have various reasons. Can it be you have another instance of WebSecurityConfigurerAdapter configured somewhere ?

You can try the following :

Set a breakpoint in line 'http.csrf().disable();' to see if its really executed.

Set breakpoints in the constructor(s) of WebSecurityConfigurerAdapter to see whether many instances are created.

This should show you whats going wrong..

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot disable CSRF security in Spring Boot Cannot disable csrf Spring boot Cannot Disable Spring Security in Spring Boot 2.0.1 spring security csrf disable issue Spring Boot Security XML vs WebSecurityConfigurerAdapter for CSRF Spring webflux Security - Disable csrf with property Auth0 in Java Spring MVC without Spring Boot Java Spring MVC Auth0 SSO not getting tokens (no Spring Boot) Spring boot, disable security for tests How to disable Spring Boot Security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM