Spring Boot version: 2.3.0.RELEASE
Using spring boot application as src of iframe with spring security in classpath, webflux and servlet app behaves differently.
Security config for reactive webapp:
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.headers().frameOptions().disable()
.and()
.authorizeExchange()
.anyExchange().authenticated()
.and()
.formLogin()
.and()
.build();
}
}
Security config for servlet webapp:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin();
}
}
Using tomcat server and security config as given above, user gets logged in and response is successfully sent back with 200 OK. Simliar config in webflux with netty server responds with 403 Forbidden and response as
CSRF Token has been associated to this client.
Perhaps it is related to Set-cookie with SameSite=Lax; in webflux.
Use iframe within any external domain with src set as spring boot app. Try deleting cookies if you are unable to regenerate the issue.
<iframe src="http://localhost:8080/">
</iframe>
Sample app - spring-iframe.zip
Questions: Is this expected behaviour? Is there any way around to login in external iframe using spring webflux as dependency?
Comment From: wilkinsona
Thanks for the sample. When you have your own security configuration and are using @EnableWebSecurity or @EnableWebFluxSecurity, Spring Boot isn't really involved in securing your application. As such, I think this issue would be better-addressed by the Spring Security team. If you're looking for some guidance, you can chat with the team and community on Gitter or ask a question on StackOverflow. If you believe you have found a bug, you can open an issue.