I’m working on a microservices architecture that combines servlet and reactive Spring Boot applications; these are deployed on a K8S cluster, and each microservice exposes the Spring Actuator endpoints for health monitoring and logging management: in fact, we use the /actuator/loggers
endpoints in POST
to set specific levels at runtime. This may happen by curl
calls from terminal, or from management applications like Spring Boot Admin.
I published two examples of these microservices at https://github.com/polifr/csrf-servlet and https://github.com/polifr/csrf-reactive, complete with junit test classes and three different CSRF configurations (disabled, enabled, customized with specific exclusions); I will refer to the sources of these projects to explain further the situation.
The logging configuration endpoint falls under the management of the CSRF policy because is called with a POST
. In the case of servlet, an exclusion can be set using the ignoringRequestMatchers
method, like this (CsrfIgnoringSecurityConfiguration
of the csrf-servlet project):
log.debug("Csrf is enabled");
http.csrf(
csrf ->
csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringRequestMatchers(EndpointRequest.to(LoggersEndpoint.class)));
In this case, it is done a decoration to the CSRF policy that has been set by the context.
Instead, for the reactive stack, there is no equivalent method; I tried the solution given for How to add CSRF disable for specific URL in Spring Web Flux Basic Authentication (Reactive Programming), but it does not work: in fact, it would CSRF-block all the other endpoint, also the GET
ones.
At the moment, the only solution I have found is this (CsrfIgnoringSecurityConfiguration
of the csrf-reactive project):
log.debug("Csrf is enabled");
http.csrf(
csrf ->
csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.requireCsrfProtectionMatcher(
new AndServerWebExchangeMatcher(
CsrfWebFilter.DEFAULT_CSRF_MATCHER,
new NegatedServerWebExchangeMatcher(
EndpointRequest.to(LoggersEndpoint.class)))));
But in this case, I am overwriting the context-managed CSRF policies, that may include specific exclusions, e.g. authentication. See for example Spring Security ServerHttpSecure
:
private void registerDefaultCsrfOverride(ServerHttpSecurity http) {
if (http.csrf != null && !http.csrf.specifiedRequireCsrfProtectionMatcher) {
AndServerWebExchangeMatcher matcher = new AndServerWebExchangeMatcher(
CsrfWebFilter.DEFAULT_CSRF_MATCHER,
new NegatedServerWebExchangeMatcher(this.authenticationConverterServerWebExchangeMatcher));
http.csrf().requireCsrfProtectionMatcher(matcher);
}
}
Apart from trying to ask the Spring Community to implement also for the reactive stack an ignoringRequestMatchers
method, does anybody have some suggestions about how to implement this kind of CSRF customization in a cleaner way?
You need to sign in to view this answers
Leave feedback about this