10

I have some problems with Spring Cloud and CSRF protection. I secured my application (a gateway and a sign up service) with Spring Cloud Security, OAuth2 etc.

I granted access to everyone (permitAll) to /signup, which is where the gateway routes to the actual sign up service. I also granted access to everyone on the sign up server itself. This works as expected.

What causes me headaches is the CSRF protection. The gateway and the sign up service both create a CSRF token on their own. The token from the gateway will be sent to the client and the token from the sign up service is lost (somewhere at the gateway).

If I post something to the sign up service the CSRF protection kicks in and says that the token was null, or the actual value did not match the expected value, if I try to reuse the value from the gateway, which is available in the HTTP headers.

I've got it working with disabling CSRF on the sign up service, but it doesn't seem to be the right solution, because it only works when someone sends the token back from the client, like an Angular SPA. When I try to submit a form (which is rendered on the signup service) from the browser this fails because of the missing _csrf parameter. If I activate CSRF on the sign up service and add the the _csrf parameter to the form, the CSRF protection of the gateway kicks in and says the actual token doesn't match the expected one, which is absolutely right because the actual token is the one from the sign up service and the expected token is from the gateway.

I could disable CSRF on the gateway, but this will lead to that I have to configure the CSRF stuff on every service which is consumed by a REST client or a SPA.

I've tried the ignoreAntMatchers() in the HttpSecurity.csrf() configuration where I can exclude specific paths, but this does not help me either. The expected value is something completely different. It's seems a new session is created for the POST request.

So is there any chance I could use CSRF at the gateway and the sign up service with form submission and Zuul at once?

wbiller
  • 421
  • 3
  • 9

1 Answers1

0

You should be able to make it work : I think that CSRF should be disabled in Zuul, and that Zuul should forward the original CSRF token from the service.

Did you try setting custom "sensitive-headers" to avoir losing the token ? Since the default configuration is to remove any "Cookie" and "Set-Cookie" header you need to change it :

zuul:
  routes:
    users:
      path: /myusers/**
      # This is the default value if not set
      sensitiveHeaders: Cookie,Set-Cookie,Authorization
      url: https://downstream

becomes

zuul:
  routes:
    users:
      path: /myusers/**
      sensitiveHeaders: Authorization
      url: https://downstream
Raphael
  • 375
  • 2
  • 12