How to disable CsrfPreventionFilter?


#1

Hey,

I switchted to version 3.3.0 and now I’m struggeling with disabling the CsrfPreventionFilter. The filter causes my custom endpoints to be useless.

Is anyone else experiencing the same problem? Maybe got a other fix?

Cheers
Marko


#2

Hi @ElectroLutz,
If you are looking to disable it, simply comment it in the web.xml file.


#3

Hey @hassang,

thank you for your response. I’m using the Spring Boot Starter which registers the filter via “CamundaBpmWebappInitializer”.

I fixed it 2 minutes ago by just registering an empty servlet filter with the name “CsrfPreventionFilter”.

Kinda hacky, but it works.

If anyone out there has a better fix: let me know.

Cheers
Marko


#4

Hi Marko,

3.3.0 has a bug that would wrongfully apply the CSRF filter to the standalone REST API endpoints. That’s why we already released 3.3.1 which should fix this.

Cheers,
Thorben


#5

Hey Thorben,

thank you for the quick fix! I updated my dependencies and it works like a charm.

Cheers
Marko


#6

Hi Thorben,
I have that issue on release 3.3.1. I see the filter pattern is “/api/","/app/” but my REST API usually starts with the prefix /api/v1 or maybe /api/v2 like that . I try to set configuration ‘camunda.bpm.webapp.csrf.entryPoints’ to filter out my APIs but it does not support regex. Finally I tried to create my filter by extending CsrfPreventionFilter and override the method isNonModifyingRequest. It worked but seems not a good solution.