Selectively disable csrf by RequestMatcher #5477
Comments
This introduces an evolution on CsrfConfigurer#ignoreAntMatchers, allowing users to specify a RequestMatcher in the circumstance where more than just the path needs to be analyzed to determine whether CsrfFilter should require a token for the request. Simply put, a user can now selectively disable csrf by request matcher in addition to the way it can already be done with ant matchers. Fixes: spring-projectsgh-5477
|
I came here to request this specific feature. Any chance of a backport to 4.3? (As far as I can tell, |
|
Probably not, @chrylis. There are no plans for a 4.3.x series of releases and the 4.2.x series is really just for bug fixes at this point. You can do this by customizing the csrf filter outside of the DSL, though: RequestMatcher myMatcher =
new AndRequestMatcher(
CsrfFilter.DEFAULT_CSRF_MATCHER,
new NegatedRequestMatcher(/* your logic */));
csrfFilter.setRequireCsrfProtectionMatcher(myMatcher);And then either use CsrfFilter csrfFilter = new CsrfFilter(...);
// your customizations
http.addFilter(csrfFilter);Or use http
.withObjectPostProcessor(new ObjectPostProcessor<CsrfFilter>() {
public CsrfFilter postProcess(CsrfFilter csrfFilter) {
// your customizations
}
}); |
|
My current approach has been to implement a custom matcher so it's working, but upgrading to 5 is not an option until authorization is implemented. |
Can you clarify what you mean? Is there something Spring Security 5 is missing that is preventing an updated? |
|
@rwinch The project in question is an OAuth2 authorization server. |
|
Yes. You are correct. You would need to use the old support for an authorization server at this point. |
CsrfConfigurercan already be selectively disabled using ant patterns:Being able to ignore by a
RequestMatcherwould lend more power to the user as other parts of the request would now become available as well:The text was updated successfully, but these errors were encountered: