Open kakawait opened 7 years ago
@HJK181 Not the top priority task (unlike Spring boot 2 support)
What is exactly your problem with CSRF today?
I have tried to stick to your project, great work btw, and have a problem getting XSRF to work. Or I'm missing something else.
Basicalliy everything works. except the logout which I'm trying to achieve be sending a POST to /logout from my UI application, but I'm getting a 403 error.
My security configuration loogs like this:
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.logout()
.permitAll()
.logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
.and()
.authorizeRequests()
.antMatchers("/uaa/**", "/login", "/*/bower_components/**/*", "/*/src/*", "/*/images/**/*", "/management/view3/**", "/*/view404", "/*/view403").permitAll()
.and()
.authorizeRequests()
.antMatchers("/management/**/*").hasAnyRole("USER", "ADMIN")
.antMatchers("/admin/**/*").hasRole("ADMIN")
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher()).csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
// @formatter:on
}
Everything else is taken from your example(master branch).
Before adding all your configurations regarding csrfRequestMatcher, csrfHeaderFilter and csrfTokenRepository everything worked on my local machine by running all project from STS, with this configuration:
@Override
public void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.logout()
.permitAll()
.logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
.and()
.authorizeRequests()
.antMatchers("/uaa/**", "/login", "/*/bower_components/**/*", "/*/src/*", "/*/images/**/*", "/management/view3/**", "/*/view404", "/*/view403").permitAll()
.and()
.authorizeRequests()
.antMatchers("/management/**/*").hasAnyRole("USER", "ADMIN")
.antMatchers("/admin/**/*").hasRole("ADMIN")
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
// @formatter:on
}
But when I ran it with my old configuration via docker-compose the login is broken and zuul does not manage to redirect me after login. I'm getting redirected to /uaa instead of the previous route. I think it's a problem with sessions and or XSRF. So I added all your methods and changed the HttpSecurity to the one above. No login works, but I'm not able to logout.
Thanks in advance for your time.
@HJK181 Sorry I'm a bit confused, could you clarify which is the old configuration? The first one or the second? Btw do you have a repo where I can checkout your sample with your change then I will be able to try by myself and try to find a solution together?
Are you planning to work on this issue?