简体   繁体   中英

Cannot disable CSRF security in Spring Boot

I want to send http request from Ruby code with these values but every time I get CSRF verification failed :


I have this Spring configuration:


@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/v1/notification")
  public ResponseEntity<String> handleNotifications(@RequestBody MultiValueMap<String, Object> keyValuePairs) {
    return new ResponseEntity<>(HttpStatus.OK);

Spring convert config:

@SpringBootApplication(scanBasePackages = { "org.rest.api.*", "org.plugin.service", "org.plugin.transactions.factory" })
public class Application extends SpringBootServletInitializer implements WebMvcConfigurer {

    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(Application.class);

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);

    public void extendMessageConverters(List<HttpMessageConverter<?>> converters) {
        converters.removeIf(converter -> converter instanceof MappingJackson2XmlHttpMessageConverter);
        converters.removeIf(converter -> converter instanceof MappingJackson2HttpMessageConverter);
        converters.add(new MappingJackson2XmlHttpMessageConverter(
                ((XmlMapper) createObjectMapper(Jackson2ObjectMapperBuilder.xml()))
        converters.add(new MappingJackson2HttpMessageConverter(createObjectMapper(Jackson2ObjectMapperBuilder.json())));

    private ObjectMapper createObjectMapper(Jackson2ObjectMapperBuilder builder) {
        builder.modules(new JaxbAnnotationModule());
        return builder.build();

But I get error:

<h1>Forbidden <span>(403)</span></h1>
  <p>CSRF verification failed. Request aborted.</p>    
  <p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
  <p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for &#39;same-origin&#39; requests.</p>

I tried to disable the CSRF filter using this Spring Security configuration code:

@Import(value = { Application.class, ContextDatasource.class })
@ComponentScan(basePackages = { "org.rest.api.server.*" })
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

    private RestAuthEntryPoint authenticationEntryPoint;

    MerchantAuthService myUserDetailsService;

    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        return authenticationProvider;

    protected void configure(HttpSecurity http) throws Exception {

    public PasswordEncoder passwordEncoder() {
        return NoOpPasswordEncoder.getInstance();

POM Configuration:


Do you know how I can fix this issue? Can I somehow disable this CSRF check in Spring only for /notification ?

Probably because of the code super.configure(http); missing

This code works on my PC:

class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

    UserDetailsService myUserDetailsService() {
        return new UserDetailsService() {
            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
                UserDetails userDetails = null;
                try {
                    userDetails = new User("admin", "admin", getAuthorities());
                } catch (Exception e) {
                return userDetails;

            private Collection<GrantedAuthority> getAuthorities() {
                List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>();
                authList.add(new SimpleGrantedAuthority("ROLE_USER"));
                authList.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
                return authList;


    protected void configure(HttpSecurity http) throws Exception {

and I can find login page will add the tag

<input name="_csrf" type="hidden" value="7a943334-47ed-4e81-b59b-445b70db080b">

if I commented http.csrf().disable();

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

粤ICP备18138465号  © 2020-2024 STACKOOM.COM