stackoom
  简体   繁体   中英

CSRF enabled on spring cloud gateway does not allow login api POST rest call

 原文  2022-06-07 14:18:03       java/ spring-boot/ spring-cloud/ csrf/ spring-cloud-gateway

Question

I have a api gateway to my rest api micro service. the gateway is implemented using the spring cloud gateway project. I want to enable CSRF on the api gateway. I used the below code provided in the documentation to enable it.

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
            // ...
            .csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()));
    return http.build();
}

To log in to my app, the GUI makes a POST api request to my rest web service, which goes through the api gateway. This call is blocked with the message "An expected CSRF token cannot be found".

So I wanted to permit only the login request and hence made the changes as below.

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
            // ...
            .csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
            .authorizeExchange().pathMatchers("/login")
            .permitAll();
    return http.build();
}

now when I restart my application, it does not go to my landing page, instead provides its own log in page. 在此处输入图像描述

Below is my entire configuration. I have angular running my GUI.

@Configuration
@EnableWebFluxSecurity
public class NettyConfiguration implements 
WebServerFactoryCustomizer<NettyReactiveWebServerFactory> {

@Value("${server.max-initial-line-length:65536}")
private int maxInitialLingLength;
@Value("${server.max-http-header-size:65536}")
private int maxHttpHeaderSize;

public void customize(NettyReactiveWebServerFactory container) {
    container.addServerCustomizers(
            httpServer -> httpServer.httpRequestDecoder(
                    httpRequestDecoderSpec -> {
                        httpRequestDecoderSpec.maxHeaderSize(maxHttpHeaderSize);
                        httpRequestDecoderSpec.maxInitialLineLength(maxInitialLingLength);
                        return httpRequestDecoderSpec;
                    }
            )
    );
}

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
            // ...
            .csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
            .authorizeExchange().pathMatchers("/login")
            .permitAll();
    return http.build();
}

}

1 answers

solution1
 1 ACCPTED  2022-06-08 01:02:42

Check Disable authentication and csrf for a given path in Spring Weblux? .

The gist of it is that authorizeRequests() does not care about csrf. You should use requireCsrfProtectionMatcher instead to which urls would be subject to CORS verification

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question csrf enabled on spring cloud gateway does not add the csrf token in the response header Does Api Gateway allow post request without request body Does Odoo REST API allow login to Odoo Web UI backend? Spring Cloud : API Gateway routing not working Spring Cloud Gateway for composite API calls? Spring Cloud Api Gateway Okta Invalid Credientials Spring security and REST API login How to get csrf token from get api and pass csrf token to another post api using REST Assured? Spring rest api why does data type getting changed in the response from rest api call Cannot work api request in Spring Cloud API Gateway
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM