Spring Security Invalid CSRF token when Eureka client register to server

Describe the bug Build the Eureka server & client, client registe to eureka server return 403

Using the spring cloud version: 2023.0.3

log:

Securing GET /eureka/apps/
Authenticated user
Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principa
Secured GET /eureka/apps/
Securing POST /eureka/apps/SPRING-CONFIG-DEMO
Securing PUT /eureka/apps/SPRING-CONFIG-DEMO/spring-eureka-demo:spring-con
Invalid CSRF token found for http://spring-eureka-demo:3000/eureka/apps/SP
Responding with 403 status code
Invalid CSRF token found for http://spring-eureka-demo:3000/eureka/apps/SP
Responding with 403 status code
Securing POST /error
Set SecurityContextHolder to anonymous SecurityContext
Securing PUT /error?status=UP&lastDirtyTimestamp=1725333287255

To Reproduce Eureka server:

@Configuration
@EnableWebSecurity
public class SecurityConfig {


  @Bean
  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests((authz) -> authz
            .requestMatchers("/eureka/**").permitAll()
            .requestMatchers("/actuator/health").permitAll()
            .requestMatchers("/actuator/**").hasRole("ADMIN")
            .anyRequest().authenticated()
        )
        .httpBasic(withDefaults())
        .csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
            .disable()
        );
    return http.build();
  }

}

spring:
  application:
    name: spring-eureka-demo
  security:
    user:
      name: admin
      password: admin

server:
  port: 3000


eureka:
  client:
    register-with-eureka: false
    fetch-registry: false
  server:
    enable-self-preservation: false

logging:
  level:
    org:
      springframework:
        security: DEBUG
        cloud:
          netflix: DEBUG

Eureka client:

spring:
  application:
    name: spring-config-demo
  security:
    user:
      name: admin
      password: admin

  profiles:
    default: native
    active: native

  cloud:
    config:
      server:
        native:
          search-locations: classpath:/configDev/

eureka:
  client:
    serviceUrl:
      defaultZone: http://admin:admin@spring-eureka-demo:3000/eureka/

server:
  port: 8104

Expected behavior Eureka client should registed into eureka server.

Sample

Comment From: marcusdacoregio

Hi @weiro-9-w7. Since the register process is a server-to-server communication it might make sense to disable CSRF for eureka endpoints, take a look at the documentation. Does that make sense?