How to disable CRSF in Spring Using an application property

Problem

For most of web developers CSRF is a well known security exploit, on which non expected but allowed commands could be sent to a website by a “trusted user” with malicious intentions. In the Spring documentation about Web Application Security it explain how to configure the CRSF Protection.

You may have noticed that the Spring boot property security.enable-csrf would take care of enabling and disabling this feature. Nonetheless its meant to be on by default and to disable it you must do it by Java or xml code.

The property alternative could be a great way so you can, for instance create a profile that disable this security protection, so you can focus in the actual functionality

Property working in newer versions: Based on a comment of a Spring Boot member this issue is fixed on new versions of Spring: I had it on version 1.5.2.RELEASE but it seems that in version 1.5.9.RELEASE (the latest stable one to the date before version 2) its already fixed and by default csrf is disabled and it can be enabled with security.enable_csrf: true. Therefore a possible solution could be just upgrading to version 1.5.9.RELEASE, before making a major one to version 2 where the architecture might be quite more different. The solution that will be presented is compatible with any version.

My solution

As the WebSecurityConfigurerAdapter uses an imperative approach you can inject the value of the security.enable-csrf variable and disable CSRF when it be false. You are right, I think this should work out of the box.

@Configuration
public class AuthConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;

    @Value("${security.enable-csrf}")
    private boolean csrfEnabled;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        if(!csrfEnabled)
        {
            http.csrf().disable();
        }
    }
}

What I did was to set that variable to false in my application.yml for when I had a dev spring profile active, although you could create a profile called nosecurity for such purposes too. It eases this process a lot:

--- application.yml ---
#Production configuration
server:
    port: ${server.web.port}
admin:
    email: ${admin.email}
#etc
---
spring:
    profiles: dev

security.enable-csrf: false

#Other Development configurations

I hope it suits your needs

See more

• How to disable csrf in Spring using application.properties? in StackOverflow.
• Closed issue in Github.
• CSRF Configuration in Spring Security.

• Cross-site request forgery in Wikipedia.