spring-securityspring-oauth2spring-cloud-security

@EnableOAuth2Sso and csrf


I am trying to build a complete sample code for Gateway, UI , Resource . Every thing worked perfect except when i tried to do post .

I noticed first that i have double csrf one from gateway and one from the UI . So my decision which i am not sure is the correct was to disable csrf on UI and keep it on the gateway (Zuul Proxy) but i was not able to do that .

I could not tell what adapter i should extent WebSecurityConfigurerAdapter or ResourceServerConfigurerAdapter

As soon i declare WebSecurityConfigurerAdapter the whole OAuth2Sso stop working and i got access denied and ResourceServerConfigurerAdapter does not seem to do any thing.

At first i would like to disable csrf on @EnableZuulProxy and @EnableOAuth2Sso


Solution

  • Based on this answer I found out that @EnableOAuth2Sso should be on the same WebSecurityConfigurerAdapter if one exist or we will end up with having 2 Adapter , doing so fixed every thing

    @Configuration
    @EnableOAuth2Sso
    public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .csrf()
                    .disable()
                    //.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                    //.and()
                    .authorizeRequests()
                    .anyRequest().authenticated();
    
        }
    }
    

    On spring boot 1.5.8 I also add to set security.oauth2.resource.filter-order=3. See https://github.com/spring-projects/spring-security-oauth/issues/1016