https://github.com/devondragon/SpringUserFramework/issues/2

src/main/java/com/digitalsanctuary/spring/user/util/WebSecurityConfig.java

@@ -49,6 +49,9 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Value("#{'${user.security.unprotectedURIs}'.split(',')}")
 	private String[] unprotectedURIsArray;
 
+	@Value("#{'${user.security.disableCSRFdURIs}'.split(',')}")
+	private String[] disableCSRFURIsArray;
+
 	@Value("${user.security.loginPageURI}")
 	private String loginPageURI;
 
@@ -122,22 +125,33 @@ protected void configure(HttpSecurity http) throws Exception {
 		unprotectedURIs.add(forgotPasswordURI);
 		unprotectedURIs.add(forgotPasswordPendingURI);
 		unprotectedURIs.add(forgotPasswordChangeURI);
-		unprotectedURIs.toArray(new String[0]);
+		unprotectedURIs.removeAll(Arrays.asList("", null));
 
 		logger.debug("WebSecurityConfig.configure:" + "enhanced unprotectedURIs: {}", unprotectedURIs.toString());
 
+		ArrayList<String> disableCSRFURIs = new ArrayList<String>();
+		disableCSRFURIs.addAll(Arrays.asList(disableCSRFURIsArray));
+		disableCSRFURIs.removeAll(Arrays.asList("", null));
+
 		if (DEFAULT_ACTION_DENY.equals(getDefaultAction())) {
 			http.authorizeRequests().antMatchers(unprotectedURIs.toArray(new String[0])).permitAll().anyRequest()
 					.authenticated().and().formLogin().loginPage(loginPageURI).loginProcessingUrl(loginActionURI)
 					.successHandler(loginSuccessService).permitAll().and().logout().logoutUrl(logoutActionURI)
 					.invalidateHttpSession(true).logoutSuccessHandler(logoutSuccessService).deleteCookies("JSESSIONID")
 					.permitAll();
+			if (disableCSRFURIs != null && disableCSRFURIs.size() > 0) {
+				http.csrf().ignoringAntMatchers(disableCSRFURIs.toArray(new String[0]));
+			}
 		} else if (DEFAULT_ACTION_ALLOW.equals(getDefaultAction())) {
 			http.authorizeRequests().antMatchers(protectedURIsArray).authenticated().antMatchers("/**").permitAll()
 					.and().formLogin().loginPage(loginPageURI).loginProcessingUrl(loginActionURI)
 					.successHandler(loginSuccessService).successHandler(loginSuccessService).and().logout()
 					.logoutUrl(logoutActionURI).invalidateHttpSession(true).logoutSuccessHandler(logoutSuccessService)
 					.deleteCookies("JSESSIONID").permitAll();
+
+			if (disableCSRFURIs != null && disableCSRFURIs.size() > 0) {
+				http.csrf().ignoringAntMatchers(disableCSRFURIs.toArray(new String[0]));
+			}
 		} else {
 			logger.error("WebSecurityConfig.configure:"
 					+ "user.security.defaultAction must be set to either {} or {}!!!  Denying access to all resources to force intentional configuration.",

src/main/resources/application.properties

@@ -35,6 +35,9 @@ user.security.protectedURIs=/protected.html
 // Used if default is deny
 user.security.unprotectedURIs=/,/index.html,/favicon.ico,/css/*,/js/*,/img/*,/user/registration,/user/resendRegistrationToken,/user/resetPassword,/user/registrationConfirm,/user/changePassword,/user/savePassword
 
+// URIs to disable CSRF checks. This might include API endpoints used by external clients.
+user.security.disableCSRFdURIs=/no-csrf-test
+
 
 // Centralizing the URIs of common pages to make changing paths easier.  You can leave this section alone if you use the default page locations from this project.  These URLs do NOT have to be included in the unprotectedURIs list above as they will automatically be handled.
 user.security.loginPageURI=/user/login.html