2

I used spring-boot-actuator with different port like following

server.port=8080
management.port=8989

And in application, I want to use enable-csrf=true, but I don't want to use csrf in actuator port. because I want to use bulk POST request to jolokia.

Only excluding /actuator is not smart. 

http.csrf().ignoringAntMatchers("/actuator/**");

Like following property is good for me (bt management.security.enable-csrf is not exist).

security.enable-csrf=true
management.security.enable-csrf=false

Is there any good solution?

krrrr38
  • 155
  • 2
  • 12
  • I know what you are trying to do and it's a little tricky... [Possible workaround](http://stackoverflow.com/questions/31143703/spring-boot-management-port-and-spring-security) – syncdk Mar 06 '16 at 06:13

1 Answers1

1

Since you have a different management port, you can simply disable CSRF for that:

@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
        return new AndRequestMatcher(requestMatchers);
    }

    private static RequestMatcher not(RequestMatcher requestMatcher) {
        return new NegatedRequestMatcher(requestMatcher);
    }

    private final ManagementServerProperties managementServerProperties;

    public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
        this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().requireCsrfProtectionMatcher(
                allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
        // other configuration
    }

    private RequestMatcher accessingManagementPort() {
        return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
    }

}
skirsch
  • 1,640
  • 12
  • 24