-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Form POST hangs when CSRF Protection is enabled #8026
Comments
Thanks for the report and the excellent sample. The problem seems to happen because Spring Security's The problem is more general in that if any import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class ReadFormWebFilter implements WebFilter {
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return exchange.getFormData()
.flatMap(d -> Mono.justOrEmpty(d.getFirst("foo")))
.then(chain.filter(exchange));
}
} I've included a complete example in a branch named nosecurity of my fork of your sample that demonstrates the issue is reproducible without Spring Security. I'd suggest you create a ticket in Spring Cloud Gateway. |
Thanks for the help @rwinch! |
@SmithJosh If you create another issue, can you please link it to here for others to find? |
Sure, here's a link to the gateway issue: spring-cloud/spring-cloud-gateway#1587 |
Is this problem solved now? |
This was not a bug in Spring Security. Please refer to the Spring Cloud issue for updates |
Summary
I have a Spring Cloud Gateway application which uses Spring Security to provide CSRF protection. The gateway has a single webpage which sends POST requests to some service behind the gateway. When CSRF is disabled, everything works, both form and AJAX POST requests. But when CSRF is enabled, form POSTs hang and eventually time out.
This is somehow related to Spring Cloud Gateway, as the issue doesn't arise without it.
See the sample for steps to reproduce.
Actual Behavior
Expected Behavior
Configuration
See sample
Version
5.2.1.RELEASE
Sample
https://github.com/SmithJosh/spring-security-8026
The text was updated successfully, but these errors were encountered: