Hey,
I switchted to version 3.3.0 and now I’m struggeling with disabling the CsrfPreventionFilter. The filter causes my custom endpoints to be useless.
Is anyone else experiencing the same problem? Maybe got a other fix?
Cheers
Marko
Hey @hassang,
thank you for your response. I’m using the Spring Boot Starter which registers the filter via “CamundaBpmWebappInitializer”.
I fixed it 2 minutes ago by just registering an empty servlet filter with the name “CsrfPreventionFilter”.
Kinda hacky, but it works.
If anyone out there has a better fix: let me know.
Cheers
Marko
Hi Marko,
3.3.0 has a bug that would wrongfully apply the CSRF filter to the standalone REST API endpoints. That’s why we already released 3.3.1 which should fix this.
Cheers,
Thorben
1 Like
Hey Thorben,
thank you for the quick fix! I updated my dependencies and it works like a charm.
Cheers
Marko
Hi Thorben,
I have that issue on release 3.3.1. I see the filter pattern is “/api/","/app/” but my REST API usually starts with the prefix /api/v1 or maybe /api/v2 like that . I try to set configuration ‘camunda.bpm.webapp.csrf.entryPoints’ to filter out my APIs but it does not support regex. Finally I tried to create my filter by extending CsrfPreventionFilter and override the method isNonModifyingRequest. It worked but seems not a good solution.
Hi,
I get the same behavior like Stevechen. Also using 3.3.1 and my API starts with /api/v1.
@Stevechen: Could you provide the source of your class?
Thx,
Stephan
Sorry, after several tests, it did not work well by override the class. My project uses nginx so the final solution is adding the prefix /api/v1 to nginx configuration and remove that prefix from spring boot. Maybe Camunda will fix such issue in later version.
This worked for me
import org.springframework.boot.web.servlet.ServletContextInitializer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class CsrfAutoConfiguration {
private static final String CSRF_PREVENTION_FILTER = "CsrfPreventionFilter";
/**
* Overwrite csrf filter from Camunda configured here
* org.camunda.bpm.spring.boot.starter.webapp.CamundaBpmWebappInitializer
* org.camunda.bpm.spring.boot.starter.webapp.filter.SpringBootCsrfPreventionFilter
* Is configured with basically a 'no-op' filter
*/
@Bean
public ServletContextInitializer csrfOverwrite() {
return servletContext -> servletContext.addFilter(CSRF_PREVENTION_FILTER, (request, response, chain) -> chain.doFilter(request, response));
}
}
6 Likes
Thank You very much! Works well in my case. 
Where (in what file) is this code applied to?
I’ve struggled with this problem as well. To debug I’ve made a special tiny project with a minimal code base to reproduce the issue.
My use case is that I want to open 1 specific api endpoint for POST request. In my debug project called “/api/open” while the default remains the secure version for everything else, in my case tested for “/api/closed”
I’ve found 2 solutions, the one mentioned by @Wesley_Connor, which fully disables csrf.
And another mentioned here:
Which disables Camunda’s csrf for just a specific endpoint.
I’ve implemented both solutions in my debug project, so you can see exactly what changes were necessary. As well as a simple test script to validate the results.
I’ve added 2 tags, 1 for each solution.
See the ReadMe for how to run it. Works best using Intellij.
This link is also interesting as it points to the relevant docs for the second solution. However I’m only allowed to include 2 links per comment…
1 Like
Thanks a lot for posting your solution! Really handy.
@Niall, I upgraded Camunda spring boot version to 7.13.0 and was thrown the Csrf token exception , while trying to login into the application. I have no custom end points. Using the Configuration class approach, I was able to get past the issue. But I wanted to confirm if this issue is irrespective of any custom end points, since that’s my use case. Or I am missing something , when updating to the latest version of Camunda.
Thanks!