I use Apereo CAS (formerly Jasig CAS) (github here). Next, I create a very simple application in Vaadin, which connects to CAS during authentication. Everything works seamlessly until I turned on CSRF from Spring Security.
If CSRF is turned on, then the redirection to CAS login page works OK. But after the successful authentication (login, passoword), CAS wants to redirect back to my application. Then I see this:
{
"timestamp": 1498657046424,
"status": 403,
"error": "Forbidden",
"message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
"path": "/contextPath/"
}
I use Spring Boot @EnableWebSecurity, so please take a look at the configuration from there:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilter(casAuthenticationFilter())
.addFilterBefore(singleSignOutFilter(), CasAuthenticationFilter.class)
.exceptionHandling()
.authenticationEntryPoint(casAuthenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.anyRequest()
.authenticated();
http.csrf().disable(); //works when disable
}
My question: How to configure Spring Security to make CSRF work properly with CAS authentication?
I'm using Spring Boot 1.5.4.RELEASE (maven parent) and Vaadin 8.0.5 (BOM).
