Spring Security using CSRF token even though not specified and turned off

Question

For my project I am trying to make a simple service which can do POST, GET and DELETE requests. I'm not interested in the extra security layer added by CSRF, so I want it turned off. I know that by default it should be off, but it does not seem to behave. Every time I make a post request, it gives me the following output:

/users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy        : /users/insert at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.security.web.FilterChainProxy        : /users/insert at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.security.web.FilterChainProxy        : /users/insert at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:8080/users/insert
o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6c3a524b
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

If I do a GET request it works just fine.

My pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.3.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.webservices</groupId>
    <artifactId>restservice</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>restservice</name>
    <description>Rest webservice</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-hateoas</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <version>5.3.2.RELEASE</version>
            <scope>test</scope>
        </dependency>

         <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.data</groupId>
            <artifactId>spring-data-rest-hal-browser</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.data</groupId>
            <artifactId>spring-data-rest-hal-browser</artifactId>
        </dependency>

        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger2</artifactId>
            <version>2.9.2</version>
        </dependency>

        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger-ui</artifactId>
            <version>2.9.2</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

In my application.properties I've tried security.enable.csrf=false, but it does not work.

Have you added the csrf.disable() in configure(HttpSecurity http) method? — Romil Patel, Jul 08 '20 at 12:48
I thought I did, but turns out I must have done something wrong. Adding it fixed my problem, thanks! — MisterJay, Jul 09 '20 at 09:27

score 1 · Accepted Answer · answered Jul 09 '20 at 16:42

CSRF stands for Cross-Site Request Forgery which is default enabled while using the Spring Security as follows,

public CsrfConfigurer<HttpSecurity> csrf() throws Exception {
    ApplicationContext context = getContext();
    return getOrApply(new CsrfConfigurer<>(context));
}

Completly Disable

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().disable()...
}

Partially Enabled

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().ignoringAntMatchers("csrf-disabled-endpoints")...
}

Include CSRF

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().ignoringAntMatchers("csrf-disabled-endpoints")
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
}

You may like to explore more details here What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?

score 0 · Answer 2 · answered Jul 08 '20 at 13:10

CSRF protection is enabled by default. There is no way to disable the csrf feature by configuring in application.properties by default. As Patel points out, this must be done by disabling csrf on your HttpSecurity configuration.

See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf-configure-disable on how to do this using either XML or Java configuration.

You may create your own application.properties entry by using an @Value within your java configuration. e.g. @Value("${security.enable.csrf}") private boolean csrfEnabled;

score 0 · Answer 3 · answered Jul 09 '20 at 09:28

0

The answer from Patel Romil fixed my problem!

Have you added the csrf.disable() in configure(HttpSecurity http) method?

answered Jul 09 '20 at 09:28

MisterJay

33
1
4

Hello Jay, I have added more details in the answer, which you might like to explore – Romil Patel Jul 09 '20 at 16:43

Spring Security using CSRF token even though not specified and turned off

3 Answers3

Linked