I am working on a basic microservices architecture system. Currently, I am trying to implement security on my gateway. However, when I try to send a POST via Postman to http://localhost:8765/api/auth/register, I keep getting "An expected CSRF token cannot be found"
This is my securityFilterChain:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
...
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.exceptionHandling(exceptionHandling -> exceptionHandling.authenticationEntryPoint(jwtAuthenticationEntryPoint))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authorize -> authorize
.requestMatchers(HttpMethod.POST, "/api/auth/register").permitAll()
.anyRequest().authenticated())
.httpBasic(httpBasic -> {});
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
...
}
This is the log that Springboot throws when receiving the POST (note that this doesn't mention anything about CSRF)
2024-03-16 17:46:05 [http-nio-8765-exec-1] DEBUG org.apache.coyote.http11.Http11InputBuffer - Received [POST /api/auth/register HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.37.0
Accept: */*
Postman-Token: e11ef3a5-dad1-46e6-94b9-b2c436ed236d
Host: localhost:8765
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 61
{
"username": "tobias",
"password": "password"
}]
2024-03-16 17:46:05 [http-nio-8765-exec-2] DEBUG org.apache.coyote.http11.Http11Processor - Error parsing HTTP request header
java.io.EOFException: null
at org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.fillReadBuffer(NioEndpoint.java:1296) ~[tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.read(NioEndpoint.java:1184) ~[tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.coyote.http11.Http11InputBuffer.fill(Http11InputBuffer.java:785) ~[tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:348) ~[tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:264) [tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) [tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) [tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) [tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) [tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-embed-core-10.1.17.jar:10.1.17]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-10.1.17.jar:10.1.17]
at java.base/java.lang.Thread.run(Thread.java:833) [?:?]
Any hints or ideas? There are a few questions similar to this one in Stackoverflow, but non has been resolved yet.
This is the project on Github for you to check.
I tried different alternatives and configuration on securityFilterChain, but nothing seems to work.
In case it is useful for someone, the problem was that I was using @EnableWebSecurity, which enables security for a servlet-type web app.
Given that I am working on a gateway (and therefore on a Reactive app), @EnableWebFluxSecurity should be used. Keep in mind that other things must also be adjusted.