JCH
Java Community | Help. Code. Learn.6d ago
MPFx1

CSRF Protection in java microservices app

Hello I have troubles setting up csrf protection in my microservice app. The architecture is that I use web service which is for desplaying the web content and it also contains login and register forms which are connected to auth service responsible for generating jwt. I also have eureka naming server for load balancing and api gateway in which all requests go throught and in filter the jwt token in validated. It is important to note that jwt is stored in cookies. How do I implement csrf token because I tried adding security config in web service but that resulted in 403 Forbidden for non get requests. It is important to understand that web service do not contain validating user credentials so it may be the case. Do I use api gateway for adding csrf header? Or do you have any idea how to solve my problem. this is my config in web service 
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf ->
                csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
                        .requestMatchers(HttpMethod.GET, "/**").permitAll()
                        .anyRequest().authenticated()
                )
                .httpBasic(AbstractHttpConfigurer::disable);
        return http.build();

    }
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf ->
                csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/swagger-ui/**", "/v3/api-docs/**").permitAll()
                        .requestMatchers(HttpMethod.GET, "/**").permitAll()
                        .anyRequest().authenticated()
                )
                .httpBasic(AbstractHttpConfigurer::disable);
        return http.build();

    }
3 Replies
JavaBot
JavaBot6d ago
This post has been reserved for your question.
Hey @MPFx1! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
dan1st
dan1st6d ago
your frontend needs to add the CSRF token with every request
JavaBot
JavaBot6d ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.

Did you find this page helpful?