Tried disabling CSRF in the edge/zuul with http.csrf().disable().
But still csrfFilter is available in filter chain @ position 4.
I even have set property spring.enableCsrf: false. Still the csrfFilter kicks in and my ajax requests get 403 error.
How to disable CSRF with Zuul and external OAuth server (UAA)?
Configure CSRF Protection Some frameworks handle invalid CSRF tokens by invaliding the user’s session, but this causes its own problems. Instead by default Spring Security’s CSRF protection will produce an HTTP 403 access denied. This can be customized by configuring the AccessDeniedHandler to process InvalidCsrfTokenException differently.
As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below.
<http>
<!-- ... -->
<csrf disabled="true"/>
</http>
CSRF protection is enabled by default with Java Configuration. If you would like to disable CSRF, the corresponding Java configuration can be seen below. Refer to the Javadoc of csrf() for additional customizations in how CSRF protection is configured.
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable();
}
}
By default, CSRF protection is enabled. However, you can disable CSRF protection if it makes sense for your application.
The Java configuration below will disable CSRF protection.
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
// ...
.csrf(csrf -> csrf.disable()))
return http.build();
}
