Skip to content

Removes the need for a CSRF token with mock JWT #7276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Removes the need for a CSRF token with mock JWT #7276

wants to merge 1 commit into from

Conversation

henriquels25
Copy link
Contributor

Fixes: gh-7170

Changes the JwtRequestPostProcessor to remove the check for a CSRF token in the request.

If there is a more elegant way to change the RequestMatcher of the request CsrfFilter, please let me know.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 18, 2019
@henriquels25
Removes the need for a CSRF token with mock JWT
c0d2b7f 
Changes the JwtRequestPostProcessor to remove
the check for a CSRF token in the request.

Fixes spring-projectsgh-7170
rwinch
rwinch requested changes Aug 19, 2019
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @henriquels25! Please see inline for comments

test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java
* {@link RequestMatcher}
* @param requestMatcher the {@link RequestMatcher} to set
*/
public static void setCsrfRequestMatcher(HttpServletRequest request,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot do this because it dirties the context since additional requests without a jwt token would also ignore CSRF protection. The CSRF request should be disabled for just this request.

It might be better to:

  1. Update CsrfFilter.shouldNotFilter to return true if a specific request attribute is set
  2. Modify the code to set the attribute when jwt is being invoked

@rwinch rwinch added in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 19, 2019
@jzheaux jzheaux mentioned this pull request Sep 5, 2019
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Sep 9, 2019

Closing in favor of #7368 which addresses the concerns listed in #7276 (comment)

@jzheaux jzheaux closed this Sep 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch requested changes

Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) status: duplicate A duplicate of another issue status: waiting-for-feedback We need additional information before we can continue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Mock Jwt should ensure that CSRF is not required
4 participants
@henriquels25 @jzheaux @rwinch @spring-projects-issues