Ad

Spring Boot Security And Auth0 - Cannot Disable CSRF

I am building a RESTful Spring Boot and React/Alt application. I want to add spring security to make sure that there could be no unauthenticated requests to the API.

I am using Auth0 for an authentication provider so users can log in to the application and more specifically the spring-security-auth0 library to handle the server side security side of things. https://github.com/auth0/spring-security-auth0

After following the basic tutorial on Auth0, I have configured the security config in my spring application so that requests to the API will not work without a JSON web token. This works, but there are some endpoints (those that need a POST) in the controllers that don't. I get this error in Chrome devtools -

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

I understand that there are no CSRF headers present and that is why it isn't working. But the main reason I am confused is because I have disabled CSRF and it still happens. As the spring docs instruct, I've done this -

@Configuration
@EnableWebSecurity
@ComponentScan("com.auth0")
@ImportResource("classpath:auth0-security-context.xml")
@PropertySource("classpath:auth0.properties")
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }

I don't need CSRF in this case as the app will only ever be used in a dev environment. Why does this still happen even though I have disabled CSRF completely?

Ad

Answer

The CsrfFilter that is responsible for the Exception is definetly enabled. This can have various reasons. Can it be you have another instance of WebSecurityConfigurerAdapter configured somewhere ?

You can try the following :

Set a breakpoint in line 'http.csrf().disable();' to see if its really executed.

Set breakpoints in the constructor(s) of WebSecurityConfigurerAdapter to see whether many instances are created.

This should show you whats going wrong..

Ad
source: stackoverflow.com
Ad