Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Disable CSRF using property `security.enable-csrf`
See original GitHub issueSummary
I want to disable the CSRF security by setting to false the property security.enable-csrf in a active applicaton .properties file.
Actual Behavior
Based on the official documentation by default this security is enabled. To disable it you must specify it in org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity) with
http.csrf().disable();
or its equivalent in xml configuration.
Expected Behavior
The variable security.enable-csrf is acknowledged as one of the common properties by Spring Boot, yet setting it to false doesn’t solve anything.
Configuration
In my application.yml I have this section
---
spring:
profiles: dev
security.enable-csrf: false
But setting the profile to dev won’t disable the CRSF Security
Version
I am using spring-security-config-4.2.2.RELEASE
Possible solution
I solved this issue easily by specifying in my implementation of WebSecurityConfigurerAdapter the following code:
@Order(FRONTEND_SECURITY_ORDER)
@EnableAspectJAutoProxy
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public static final int FRONTEND_SECURITY_ORDER
= SecurityProperties.ACCESS_OVERRIDE_ORDER + 3;
@Value("${security.enable-csrf}")
private boolean csrfEnabled;
@Override
protected void configure(HttpSecurity http) throws Exception {
if (!csrfEnabled) {
http.csrf().disable();
}
http
.httpBasic()
//..... etc
}
}
This will disable the csrf security if the property security.enable-csrf is set to false. An equivalent approach could be solved.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Just stumbled on this issue. I am confused about whether CSRF is disabled in 1.5.9 by default or not. The documentation for 1.5.9 explicitly mentions that it is enabled by default:
https://docs.spring.io/spring-boot/docs/1.5.9.RELEASE/reference/htmlsingle/
However further down we find:
Which seems to imply that the csrf setting is set to false by default.
According to @mbhave’s comment it is disabled which also matches my experience? Please clarify in this issue and possibly update the documentation for 1.5.9?
Thank you.
It is a breaking change but it’s done to tighten security. It makes sense for Boot to stick to Spring Security’s defaults in this case and it’s pretty easy to flip it back if people want that with a flag.
That shouldn’t be the case with
1.5.11.BUILD-SNAPSHOTSbecause Spring Boot and Spring Security’s defaults for CSRF are the same there.For the documentation part of it, I’ve added a new issue here.