Write and Publish a Tutorial!
Do you have good notes or papers written by you and seeking for a
platform to publish? We provide the platform to publish your tutorials
in your name. If you wish to publish your tutorial in your name to
help the readers, Please contact us by sending an email to
publish@tools4testing.com or publish@java4coding.com The main way that
others learn about your work is through your published tutorials. If
you don’t publish, it will be as if you never did the work. Your notes
can help the readers only when you share it.
Customizing CSRF Protection for Specific Paths in Spring Security
CSRF protection applies to any path for endpoints called with HTTP methods other than GET, HEAD, TRACE, or OPTIONS. You already know from previous chapter how to completely disable CSRF protection. But what if you want to disable it only for some of your application paths? You can do this configuration quickly with a Customizer object.
To disable CSRF protection for specific paths in your Spring Security configuration, you can use a customizer object with the csrf() method of the HttpSecurity object. Here's an example of how you can achieve this:
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class DemoController {
@PostMapping(value = "/hello")
public String sayHelloPost() {
return "Hello!";
}
@PostMapping(value = "/hi")
public String sayHi() {
return "Hi!";
}
} import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
@Configuration
public class ApplicationWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic();
http.csrf(new CustomizerImpl());
/*
// We can do create Customizer object with lambda as well as below
http.csrf(c -> {
c.ignoringAntMatchers("/hi");
});
*/
http.authorizeRequests()
.anyRequest().permitAll();
}
}
class CustomizerImpl implements Customizer<CsrfConfigurer<HttpSecurity>> {
@Override
public void customize(CsrfConfigurer csrfConfigurer) {
csrfConfigurer.ignoringAntMatchers("/hi");
}
} |
The ignoringAntMatchers(String paths) method in Spring Security allows specifying Ant expressions to exclude paths from CSRF protection.
A more flexible approach is using RequestMatcher, enabling exclusions with MVC expressions and regexes.
The ignoringRequestMatchers() method of CsrfCustomizer allows providing any RequestMatcher.
Example using MvcRequestMatcher:
HandlerMappingIntrospector i = new HandlerMappingIntrospector();
MvcRequestMatcher r = new MvcRequestMatcher(i, "/ciao");
c.ignoringRequestMatchers(r);
Example using regex matcher:
String pattern = ".*[0-9].*";
String httpMethod = HttpMethod.POST.name();
RegexRequestMatcher r = new RegexRequestMatcher(pattern, httpMethod);
c.ignoringRequestMatchers(r);
These methods enable excluding specific paths or patterns from CSRF protection while maintaining security for other endpoints.
