How to stop replacing CSRF Token for ignoringRequestMatchers? I did not implement the codes below and I am trying to solve someone else problem arised from the implementation
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
// set the name of the attribute the CsrfToken will be populated on
requestHandler.setCsrfRequestAttributeName("_csrf");
// add additional same site strict and secure to CookieCsrfTokenRepository
CookieCsrfTokenRepository csrfTokenRepo = new CookieCsrfTokenRepository();
csrfTokenRepo.setCookieCustomizer(cookieBuilder -> cookieBuilder
.sameSite(Cookie.SameSite.STRICT.attributeValue())
.secure(true)
);
return http.csrf((csrf) -> csrf
.csrfTokenRepository(csrfTokenRepo) // CSRF configure for cookie
.csrfTokenRequestHandler(requestHandler) // CSRF configure for request handler
.ignoringRequestMatchers("/user/getUserDetails", "/user/register", "/user/refreshToken") // Ignore CSRF for certain urls
// https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#disable-csrf <== Refer to this
)
.cors(Customizer.withDefaults()) // CORS configurations
.authorizeHttpRequests(request -> request
.requestMatchers("/user/register","/user/login","/user/refreshToken","/home").permitAll()
// .requestMatchers("/**").permitAll() uncomment this for static file host
.anyRequest().authenticated()
) // HTTP Request configurations
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterAfter(csrfCookieFilter, UsernamePasswordAuthenticationFilter.class)
.build();
}