Can't disable CSRF if OAuth2AuthorizationServerConfigurer is used #1872
Description
Describe the bug
When disabling CSRF with httpSecurity.csrf(AbstractHttpConfigurer::disable), the CsrfConfigurer is successfully removed from the list. However, during the build phase, in Oauth2AuthorizationServerConfigurer.init(), these lines:
httpSecurity.csrf((csrf) -> {
csrf.ignoringRequestMatchers(new RequestMatcher[]{this.endpointsMatcher});
});
cause the CsrfConfigurer to be placed back in the list
To Reproduce
configure httpSecurity with both
httpSecurity.csrf(AbstractHttpConfigurer::disable)
and
final var authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();
http.with(authorizationServerConfigurer, config ->. .. any config.. )
Observe that during httpSecurity.build(), the CsrfConfigurer.class is placed back in the configurer list
Expected behavior
Disabling CSRF should work regardless of other configurers
Sample
Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.