Disable CSRF not working upon upgrading spring authorization server

Question

My project setup has one security chain filter and the csrf is disabled.

With the following spring environment, code works as expected.

1. spring version 6.2.2
2. spring-security version 6.4.2
3. spring-authorization-server 1.2.7

But upon upgrading spring-authorization-server to 1.4.1, code breaks with 403 error code.

Upon debugging, I figured out CsrfFilter defined in package org.springframework.security.web.csrf is getting executed as part the filter chain even though it is not intended. But with 1.2.7 version this wasn't the case.

I have tried disabling CSRF in both the ways suggested but in vain : http.csrf(csrf->csrf.disable) and http.csrf(AbstractHttpConfigurer::disable).

I briefly went through their release notes of authorization server and it was not that helpful.

https://github.com/spring-projects/spring-authorization-server/releases/tag/1.4.0-RC1 https://github.com/spring-projects/spring-authorization-server/releases/tag/1.3.3

Any additional pointers I should consider for upgradation ??

Answer 1

I was running into the same issue during attempt to configure the Spring Authorization Server 1.4.1 and Spring Security 6.4.2. In order to fix the application CSRF settings override, you need to configure first authorizationServerSecurityFilterChain:

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
var authorizationServerConfigurer = OAuth2AuthorizationServerConfigurer.authorizationServer();

return http.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
    .with(authorizationServerConfigurer, Customizer.withDefaults())
    .build();
}

And then define defaultSecurityFilterChain:

@Bean
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    http
        .csrf(AbstractHttpConfigurer::disable)
        .sessionManagement(customize -> customize.sessionCreationPolicy(NEVER))
        ....
        .authorizeHttpRequests(
             authorize -> authorize
        ....
        );
}

In this case CSRF protection will be correctly disabled for Spring Authorization Server API endpoints and your custom APIs

Answer 2

I was finally able to disable the CSRF. One will have to update their code as shown below to make it work

httpSecurity.csrf((csrf)->csrf.ignoringRequestMatchers(new AntPathRequestMatcher("/**")));

One might encounter this issue if their HttpSecurity is built along with OAuth2AuthorizationServerConfiguration on spring-authorization-server version 1.4.1

Reason being the init method in OAuth2AuthorizationServerConfigurer class is updated to add a CSRF filter as shown below

httpSecurity.csrf((csrf)->csrf.ignoringRequestMatchers(this.endpointsMatcher))

once the httpSecurity.build() method is executed, the invocation of init method nullifies either form of declarations http.csrf(csrf->csrf.disable) http.csrf(AbstractHttpConfigurer::disable).

Reason for nullification is because of how these methods are defined in HttpSecurity :

public HttpSecurity csrf(Customizer<CsrfConfigurer<HttpSecurity>> csrfCustomizer) throws Exception {
ApplicationContext context = getContext();
csrfCustomizer.customize(getOrApply(new CsrfConfigurer<>(context)));
return HttpSecurity.this;}

private <C extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>> C getOrApply(C configurer)
   throws Exception {
C existingConfig = (C) getConfigurer(configurer.getClass());
if (existingConfig != null) {
   return existingConfig;
}
return apply(configurer);

}