Apply SecurityConfigurer in HttpSecurity is not consistence #4422
Description
Update
I edit the title to change to more generic issue, please read my response to get more information about generic issue
Summary
When reading doc from LogoutConfigurer
The URL that triggers log out to occur (default is "/logout"). If CSRF protection
is enabled (default), then the request must also be a POST. This means that by
default POST "/logout" is required to trigger a log out. If CSRF protection is
disabled, then any HTTP method is allowed.
This partially true, because in reality it depends on the presence of CsrfConfigurer and not if CSRF truly enabled or not.
Actual Behavior
With such configuration that clearly disable CSRF, logout will still be only on POST
http.authorizeRequests().anyRequest().authenticated()
.and()
.apply(new SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>() {
@Override
public void init(HttpSecurity http) throws Exception {
http.csrf().disable();
}
});By using apply() this SecurityConfigurerAdapter will be append to the list of SecurityConfigurer. The main problem is append to since LogoutConfigurer is already presents by default (in Spring boot project at least) it will be configurer before this SecurityConfigurerAdapter and CsrfConfigurer will still present when LogoutConfigurer will be executed.
I know that a stupid sample because I can use directly http.csrf().disable() without using SecurityConfigurerAdapter and apply() method. But keep in mind that in my use case I'm developing a starter that getting this (or those) SecurityConfigurerAdapter from injection, so I can't control what SecurityConfigurerAdapter could contains.
Expected Behavior
If possible since I think I will be a bit tricky to achieve that will be to change how LogoutConfigurer determines if CSRF will be enable.
Configuration
I don't think is relevant
Version
- Spring boot 1.5.x
- Spring security 4.2.x
Sample
I will try to upload asap if really needed