How to disable csrf in Spring using application.properties?

前端 未结 2 1640
眼角桃花
眼角桃花 2021-02-07 01:20

The following property exists:

security.enable-csrf=false

BUT csrf protection is still on if I add the property to application.properties

2条回答
  •  青春惊慌失措
    2021-02-07 02:21

    An update:

    Looks like there is an issue with disabling CSRF using application.properties on spring-boot 1.x (and thanks to Eliux for openning this case).

    So my solution for spring-boot 1.5.7 with an embedded tomcat is disabling CSRF via SecurityConfig class (note that this way I keep the tomcat ootb basic authentication):

    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            // Note: 
            // Use this to enable the tomcat basic authentication (tomcat popup rather than spring login page)
            // Note that the CSRf token is disabled for all requests (change it as you wish...)
            http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
        }
    
        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            // Add here any custom code you need in order to get the credentials from the user...  
            auth.inMemoryAuthentication()
                .withUser("myUserName")
                .password("myPassword")
                .roles("USER");
        }
    } 
    

提交回复
热议问题