I would like to enable oauth2 for the whole application except one url.
My configuration:
@EnableWebFluxSecurity
class SecurityConfig {
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity) =
http
.authorizeExchange()
.pathMatchers("/devices/**/register").permitAll()
.and()
.oauth2Login().and()
.build()
}
application.yml:
spring.security.oauth2.client.registration.google.client-id: ...
spring.security.oauth2.client.registration.google.client-secret: ...
All the paths are being protected with oauth2 but the problem is that when I call an endpoint that is permitted /devices/123/register then in response I get:
CSRF Token has been associated to this client
Do I need to configure this path in a different way?
permitAll is a statement about authority only--all the typical web application vulns are still mitigated like XSS and CSRF.
If you are trying to indicate that /devices/**/register should be ignored by Spring Security entirely, then you can do:
http
.securityMatcher(new NegatedServerWebExchangeMatcher(
pathMatchers("/devices/**/register")))
... omit the permitAll statement
But, if you still want that endpoint to get the secure response headers, just not CSRF protection, then you can do:
http
.csrf()
.requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(
pathMatchers("/devices/**/register")))
... keep the permitAll statement