Open
Description
openedon Dec 7, 2022
Context
Due to the sample aad-resource-server-by-filter disabling the CSRF protection, the github-code-scanning suggests enabling this protection in this PR, and It's good advice.
The sample can not work when upgraded to SCA 6.0.0-beta.3, because the CSRF protection of Spring Security has been enhanced after the 6.0.0-M7
, the Angular JS(1.2.25) has a high priority to always set a header with a CSRF token saved in a cookie for each HTTP request, but a new CSRF token value should be taken from the attribute of the request object, which is handled by the CsrfFilter, so we should re-consider the CSRF protection for all the Azure AD samples, and I am not sure the default configurer of SCA also should enable the CSRF protection by default.
Goal
- Update the CSRF protection switch for the Azure AD default configurer(4.x and 6.x) if needed.
- Update the CSRF protection switch for all the samples(4.x and 6.x) which are based on Spring Security Web if needed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
Type
Projects
Status
Todo