search

kakawait / uaa-behind-zuul-sample

Spring AuthorizationServer load balanced behind Zuul
322 stars 156 forks source link

Revamp CSRF #15

Open kakawait opened 7 years ago

HJK181 commented 6 years ago

Are you planning to work on this issue?

kakawait commented 6 years ago

@HJK181 Not the top priority task (unlike Spring boot 2 support)

What is exactly your problem with CSRF today?

HJK181 commented 6 years ago

I have tried to stick to your project, great work btw, and have a problem getting XSRF to work. Or I'm missing something else.

Basicalliy everything works. except the logout which I'm trying to achieve be sending a POST to /logout from my UI application, but I'm getting a 403 error.

My security configuration loogs like this:

@Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .logout()
            .permitAll()
            .logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
        .and()
            .authorizeRequests()
            .antMatchers("/uaa/**", "/login", "/*/bower_components/**/*", "/*/src/*", "/*/images/**/*", "/management/view3/**", "/*/view404", "/*/view403").permitAll()
        .and()
            .authorizeRequests()
            .antMatchers("/management/**/*").hasAnyRole("USER", "ADMIN")
            .antMatchers("/admin/**/*").hasRole("ADMIN")
        .and()
            .authorizeRequests().anyRequest().authenticated()
        .and()
            .csrf().requireCsrfProtectionMatcher(csrfRequestMatcher()).csrfTokenRepository(csrfTokenRepository())
        .and()
            .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
        // @formatter:on
    }

Everything else is taken from your example(master branch).

Before adding all your configurations regarding csrfRequestMatcher, csrfHeaderFilter and csrfTokenRepository everything worked on my local machine by running all project from STS, with this configuration:

@Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .logout()
            .permitAll()
            .logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
        .and()
            .authorizeRequests()
            .antMatchers("/uaa/**", "/login", "/*/bower_components/**/*", "/*/src/*", "/*/images/**/*", "/management/view3/**", "/*/view404", "/*/view403").permitAll()
        .and()
            .authorizeRequests()
            .antMatchers("/management/**/*").hasAnyRole("USER", "ADMIN")
            .antMatchers("/admin/**/*").hasRole("ADMIN")
        .and()
            .authorizeRequests().anyRequest().authenticated()
        .and()
            .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
        // @formatter:on
    }

But when I ran it with my old configuration via docker-compose the login is broken and zuul does not manage to redirect me after login. I'm getting redirected to /uaa instead of the previous route. I think it's a problem with sessions and or XSRF. So I added all your methods and changed the HttpSecurity to the one above. No login works, but I'm not able to logout.

Thanks in advance for your time.

kakawait commented 6 years ago

@HJK181 Sorry I'm a bit confused, could you clarify which is the old configuration? The first one or the second? Btw do you have a repo where I can checkout your sample with your change then I will be able to try by myself and try to find a solution together?