Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF on spring cloud gateway removing formData from POST requests 400 bad request error #11620

Closed
manjosh1990 opened this issue Jul 26, 2022 · 1 comment
Closed

CSRF on spring cloud gateway removing formData from POST requests 400 bad request error #11620

manjosh1990 opened this issue Jul 26, 2022 · 1 comment
Assignees
@sjohnr
Labels
for: stackoverflow A question that's better suited to stackoverflow.com

Comments

@manjosh1990
Copy link

manjosh1990 commented Jul 26, 2022
edited

Describe the bug
I have enabled CSRF on my spring cloud api gateway server. I have angular as my GUI framework which calls the rest services through the api gateway.
I have used a custom filter to add the CSRF token to the response headers.
When the POST call is made I see that the formData is lost. So I always get 400 Bad request errors.
I disabled CSRF and the request goes through fine without any issues.

Is there something wrong?

Expected behavior
The POST request should not be mutated and should process through the gateway application.

Sample
`@SpringBootApplication
public class GatewayApplication {

@Autowired
ProfileManager profileManager;

@PostConstruct
public void onInit() {
	profileManager.printActiveProfiles();
}

public static void main(String[] args) { SpringApplication.run(GatewayApplication.class, args);	}
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	http.authorizeExchange().anyExchange().permitAll();
	http.csrf().csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse());
	return http.build();
}`

below is the code of the filter

`@Component
public class CsrfHeaderFilter implements WebFilter {

@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
    Mono<CsrfToken> token = (Mono<CsrfToken>) exchange.getAttributes().get(CsrfToken.class.getName());
    if (token != null) {
        return token.flatMap(t -> chain.filter(exchange));
    }
    return chain.filter(exchange);
}

}`

https://stackoverflow.com/questions/73117195/csrf-on-spring-cloud-gateway-removing-formdata-from-post-requests-400-bad-reques
@manjosh1990 manjosh1990 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 26, 2022
@manjosh1990 manjosh1990 mentioned this issue Jul 26, 2022
Open
@sjohnr
Copy link
Member

sjohnr commented Jul 26, 2022

@manjosh1990 thanks for reaching out. I have added comments to your SO question to get some additional information. Please note that it's not necessary to cross-post from SO to GitHub as the team checks stackoverflow regularly. We prefer to use GitHub issues only for bugs and enhancements. With that in mind, I'm going to close this issue.

@sjohnr sjohnr closed this as completed Jul 26, 2022
@sjohnr sjohnr added for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 26, 2022
@sjohnr sjohnr self-assigned this Jul 26, 2022
@manjosh1990 manjosh1990 mentioned this issue Aug 11, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
for: stackoverflow A question that's better suited to stackoverflow.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjohnr @manjosh1990