Disable CSRF using property security.enable-csrf #11170
Description
Summary
I want to disable the CSRF security by setting to false the property security.enable-csrf in a active applicaton .properties file.
Actual Behavior
Based on the official documentation by default this security is enabled. To disable it you must specify it in org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.builders.HttpSecurity) with
http.csrf().disable();
or its equivalent in xml configuration.
Expected Behavior
The variable security.enable-csrf is acknowledged as one of the common properties by Spring Boot, yet setting it to false doesn't solve anything.
Configuration
In my application.yml I have this section
---
spring:
profiles: dev
security.enable-csrf: false
But setting the profile to dev won't disable the CRSF Security
Version
I am using spring-security-config-4.2.2.RELEASE
Possible solution
I solved this issue easily by specifying in my implementation of WebSecurityConfigurerAdapter the following code:
@Order(FRONTEND_SECURITY_ORDER)
@EnableAspectJAutoProxy
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
public static final int FRONTEND_SECURITY_ORDER
= SecurityProperties.ACCESS_OVERRIDE_ORDER + 3;
@Value("${security.enable-csrf}")
private boolean csrfEnabled;
@Override
protected void configure(HttpSecurity http) throws Exception {
if (!csrfEnabled) {
http.csrf().disable();
}
http
.httpBasic()
//..... etc
}
}
This will disable the csrf security if the property security.enable-csrf is set to false. An equivalent approach could be solved.