Anonymous-url-patterns is not working for post controllers

Support
#1

Jmix version: 2.3.0
Jmix Studio plugin version: 2.3.0-241
IntelliJ IDEA 2024.1 (Ultimate Edition)

Hi Jmix team.

I’ve got some URLs defined in the jmix.rest.anonymous-url-patterns property. It seems that they don’t work for POST requests anymore in new version 2.3.0. That is to say, it keeps an error 403-Forbidden when I send post request to such endpoint attached to

jmix.rest.anonymous-url-patterns = /bot-handler/**

after updating our project version to newest one 2.3.0. It only works for GET requests.

Any idea about this?

#2

Hello. I can confirm, that there is a problem with anything but GET requests to custom controllers with anonymous access in 2.3.0 version. I suspect that the source of this problem is CsrfFilter.

o.s.security.web.csrf.CsrfFilter: Invalid CSRF token found for http://…

#4

Hi guys,

Thank you for reporting the problem. I’ve created an issue. It will be fixed in the next Jmix patch release.

Until then you can use a workaround. Create the following bean in your application. It should disable CSRF for authorization server.

import io.jmix.autoconfigure.authserver.AuthServerAutoConfiguration;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.stereotype.Component;

@Component
@Qualifier(AuthServerAutoConfiguration.ResourceServerConfiguration.SECURITY_CONFIGURER_QUALIFIER)
public class AuthorizationServerCsrfConfigurer extends AbstractHttpConfigurer<AuthorizationServerCsrfConfigurer, HttpSecurity> {

    @Override
    public void init(HttpSecurity http) throws Exception {
        http.csrf(csrf -> csrf.disable());
    }
}