-
Notifications
You must be signed in to change notification settings - Fork 650
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jwt/login example CSRF ignored because of Bearer Token #116
Comments
Hi @simasch, CSRF protection is unnecessary in this scenario because we are using stateless authentication. In other words, we are not dealing with Session Cookies, which are added to the request automatically by the browser, this way avoiding the majority of CSRF exploits. When using an The HTTP Basic authentication mechanism is also stateless, so no need for CSRF protection either. |
Hi @marcusdacoregio Will https://github.com/spring-projects/spring-security-samples/blob/main/servlet/spring-boot/java/jwt/login/src/main/java/example/RestConfig.java be change accordingly? |
Hi @simasch, What changes specifically do you expect to see in the configuration? |
instead of
Because it was very confusing that CSRF is configured but not used and now token was generated. |
It is a little tricky for sure, but I think keeping It is a recommended secure posture to "deny" everything unless they are authorized, it's the same train of thought as spring-projects/spring-security#11958 |
Makes sense! |
Hi,
I tried the jwt/login example and noticed that the CSRF token is not generated when a Bearer token is present because of BearerTokenRequestMatcher.
The only request without Bearer token would be the auth request with basic authentication, but for this request CSRF is disabled.
Does the example make sense? Or why isn't CSRF disabled at all?
Thank you.
The text was updated successfully, but these errors were encountered: