SEC-2886: Session flag to bypass CSRF #3004
Comments
|
Rob Winch said: Does using CsrfFilter's requireCsrfProtectionMatcher work for you? This is a strategy pattern for determining when the CsrfFilter will enforce CSRF protection. By default it is set to execute for POST, PUT, DELETE, etc. For Java Configuration, you can customize it with the following: XML Based configuration can use csrf@request-matcher-ref. |
|
Christopher Smith said: That's the approach I'm planning to use, but this seems like a possible general-purpose solution to the common problem, and I wanted to propose having available in the framework (especially for the builder). |
spring-projects-issues
added
in: web
rwinch
added
status: waiting-for-feedback
|
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
spring-projects-issues
added
the
status: feedback-reminder
rwinch
removed
status: feedback-reminder
Christopher Smith (Migrated from SEC-2886) said:
My application uses identical URI endpoints for both Web and non-Web clients. While I appreciate the importance of CSRF protection for Web interfaces, it would be helpful to be able to specifically tag a session as "this is from a non-Web client and should be ignored by
CsrfFilter", probably with a specifically-named attribute. This would provide a straightforward and comprehensible point for implementing per-client CSRF policy.The text was updated successfully, but these errors were encountered: