How to disable CsrfPreventionFilter?


#1

Hey,

I switchted to version 3.3.0 and now I’m struggeling with disabling the CsrfPreventionFilter. The filter causes my custom endpoints to be useless.

Is anyone else experiencing the same problem? Maybe got a other fix?

Cheers
Marko


#2

Hi @ElectroLutz,
If you are looking to disable it, simply comment it in the web.xml file.


#3

Hey @hassang,

thank you for your response. I’m using the Spring Boot Starter which registers the filter via “CamundaBpmWebappInitializer”.

I fixed it 2 minutes ago by just registering an empty servlet filter with the name “CsrfPreventionFilter”.

Kinda hacky, but it works.

If anyone out there has a better fix: let me know.

Cheers
Marko


#4

Hi Marko,

3.3.0 has a bug that would wrongfully apply the CSRF filter to the standalone REST API endpoints. That’s why we already released 3.3.1 which should fix this.

Cheers,
Thorben


#5

Hey Thorben,

thank you for the quick fix! I updated my dependencies and it works like a charm.

Cheers
Marko


#6

Hi Thorben,
I have that issue on release 3.3.1. I see the filter pattern is “/api/","/app/” but my REST API usually starts with the prefix /api/v1 or maybe /api/v2 like that . I try to set configuration ‘camunda.bpm.webapp.csrf.entryPoints’ to filter out my APIs but it does not support regex. Finally I tried to create my filter by extending CsrfPreventionFilter and override the method isNonModifyingRequest. It worked but seems not a good solution.


#7

Hi,
I get the same behavior like Stevechen. Also using 3.3.1 and my API starts with /api/v1.
@Stevechen: Could you provide the source of your class?
Thx,
Stephan


#8

Sorry, after several tests, it did not work well by override the class. My project uses nginx so the final solution is adding the prefix /api/v1 to nginx configuration and remove that prefix from spring boot. Maybe Camunda will fix such issue in later version.


#9

This worked for me

import org.springframework.boot.web.servlet.ServletContextInitializer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class CsrfAutoConfiguration {
    private static final String CSRF_PREVENTION_FILTER = "CsrfPreventionFilter";
    /**
     * Overwrite csrf filter from Camunda configured here
     * org.camunda.bpm.spring.boot.starter.webapp.CamundaBpmWebappInitializer
     * org.camunda.bpm.spring.boot.starter.webapp.filter.SpringBootCsrfPreventionFilter
     * Is configured with basically a 'no-op' filter
     */
    @Bean
    public ServletContextInitializer csrfOverwrite() {
        return servletContext -> servletContext.addFilter(CSRF_PREVENTION_FILTER, (request, response, chain) -> chain.doFilter(request, response));
    }
}

#10

I had the same issue and this fixed it.
Thank you @Wesley_Connor