Spring Security Authentication is not ignored for csrf protection. Makes csrf security impossible for protected resources.

Describe the bug We have an issue with our current setup: We migrated our spring oauth 2 security configuration to the latest spring security configuration. (https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide)

Since then, our resource server csrf configuration does not work anymore.

At this point https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java#L116 the filter should verify whether the request requires csrf protection.

The requestMatchers contains two RequestMatcher:

The https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java#L83 and the ignored https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java#L498 since the *init method negates (tries to ignore authentication) https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java#L459.

The final RequestMatcher looks liks: Default Csrf Request Matcher && not BearerTokenRequestMatcher (verifies whether the request is can authenticate the user. If so the condition is always true)

The problem is now: It does not work. As soon as we try to access a protected resource (where authentication is required) the CsrfFilter does not work anymore. The first request matcher in the CsrfFilter applies but the second one that verifies that no authentication is available fails and therefore makes it impossible to apply csrf security to secured resources..

We debugged it completely and cannot find our mistake nor how we can fix this.

Expected behavior Csrf security for protected resources.

Sample Simple configuration in a simple spring boot app:

  override fun configure(httpSecurity: HttpSecurity) {
    httpSecurity.oauth2ResourceServer().run {
      accessDeniedHandler(accessDeniedHandler)
      authenticationEntryPoint(authenticationEntryPoint)
      bearerTokenResolver(bearerTokenResolver)

      jwt().run {
        decoder(jwtDecoder())
        jwtAuthenticationConverter { jwt -> salesAssociateAuthenticationManager.authenticate(jwt) }
      }
    }

    if (csrfProperties.enabled) {
      httpSecurity.csrf()
        .csrfTokenRepository(csrfTokenRepository)
    } else {
      httpSecurity.csrf().disable()
    }

    httpSecurity.sessionManagement()
      .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

    webSecurityCustomizerObjectProvider.ifAvailable?.configure(httpSecurity)
      ?: httpSecurity.authorizeRequests().anyRequest().authenticated()
  }

Comment From: rwinch

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.

Comment From: KatieKoslosky

@Writtscher did you find a solution of workaround to this? I am having the same issue

Comment From: Writtscher

@KatieKoslosky Yes I managed to work around it. But just use the latest spring security and not the "older" security-ouath libraries and you should be good to go.