Menu
I have a resource service behind Cloud Gateway route with RelayToken filter:
routes:
- id: apis
uri: http://rest-app:8080/apis
predicates:
- Path=/apis/**
filters:
- TokenRelay=
GET requests work fine, but on POSTs I get 403 Forbidden with response body containing
CSRF Token has been associated to this client
I've tried to disable CSRF protection adding Bean
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.csrf().disable().cors().disable().build()
}
But this has no effect and I still get 403. Moreover I cannot debug which exactly filter prevents client from doing POST requests, the only logging information I get with
logging:
level:
root: INFO
org.springframework.web: TRACE
org.springframework.security: TRACE
org.springframework.security.oauth2: TRACE
org.springframework.cloud.gateway: TRACE
org.springframework.security.jwt: TRACE
is just couple of lines saying POST was forbidden
[2020-04-01 13:21:32,635] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] HTTP POST "/apis/", headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] Completed 403 FORBIDDEN, headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.h.s.r.ReactorHttpHandlerAdapter - [58a0e540-10] Handling completed
How do I correctly turn CSRF off?
960
Correct SecurityWebFilterChain that solved my problem:
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http
.authorizeExchange().anyExchange().authenticated()
.and()
.oauth2Login()
.and()
.csrf().disable()
.build()
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With