I thought I had a post on here already, but I can’t seem to find it.

I have an “exclude-urls” list which is defined as

It works for gets, but not posts. Am I missing another configuraiton? I can’t find the exclude-urls docs for some reason. Which could be me.


I assume you get a CSRF error

So you probably want to disable CSRF for the API


This has to be done in your security configuration class

After getting debug logs enabled, that was the problem. Is there an order to how that needs to be disabled?

I have a SecurityConfiguration extending VaadinSecurityConfiguration
protected void configure(HttpSecurity http) throws Exception {


    setLoginView(http, LoginView.class);

Or do I need another SecuriityConfiguration specifically for those other reuqests?

Thanks for the help!

just do it as the first line in your method

Nope. is there a good way to debug this? I see on startup it is going into the configure and executing the call for setting it to false. But when I make the post request, it is still checking for the token.

Thanks for taking the time.

It has to be after the super. call

(if you wanna disable it completely)

Yeah, I had tried that also.

Apparently, this worked:
.and().csrf(csrf → csrf.ignoringRequestMatchers(new AntPathRequestMatcher("/api/

“/api/**” not just “/api”. Thank you both.