Problem with removing code that disables Spring boot CSRF

Flow
1

Hi!
We are upgrading from Vaadin 14 to Vaadin 24.

In our SecurityConfiguration we used to turn off the Spring boot csrf but I read that we should not need this after Vaadin 21.

The code below is working fine until I remove http.csrf(AbstractHttpConfigurer::disable)
If I remove it and try to logout I get:
Could not navigate to 'doLogout'

@EnableWebSecurity
@Configuration
@Profile(value = {"local-development-security"})
public class LocalDevelopmentSecurityConfiguration extends VaadinWebSecurity {

    @Autowired
    private Environment env;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(requests ->
                        requests.requestMatchers(UIUtils::isFrameworkInternalRequest).permitAll()
                                .requestMatchers("/frontend/**", "/frontend-es5/**", "/frontend-es6/**", "/VAADIN/**",
                                        "/login_error*", "/logout", "/timeout", "/diagnostics/**",
                                        "/test-authenticate*", "/offline-stub.html", "/sw-runtime-resources-precache.js")
                                .permitAll()
                )
                .formLogin(login -> login.loginPage("/" + SecurityUtils.getLoginPage(env)).permitAll())
                .logout(logout -> logout.logoutUrl("/doLogout").logoutSuccessUrl("/logout"));

        super.configure(http);
        http.csrf(AbstractHttpConfigurer::disable); // use Vaadin's CSRF protection instead.
        SecurityUtils.disableViewAccessChecker(getViewAccessChecker());
    }
}
2

Adding “/doLogout” to requestMatchers permitAll() doesn’t help

3

How do you logout from the application?

4

Ok I found out what was the issue. We’re using GET request for logging out and with CSRF enabled this was not possible without adding

http.authorizeHttpRequests(requests ->
                        requests.requestMatchers(UIUtils::isFrameworkInternalRequest).permitAll()
                                .requestMatchers("/frontend/**", "/frontend-es5/**", "/frontend-es6/**", "/VAADIN/**",
                                        "/login_error*", "/logout", "/timeout", "/diagnostics/**",
                                        "/test-authenticate*", "/offline-stub.html", "/sw-runtime-resources-precache.js")
                                .permitAll()
                )
                .formLogin(login -> login.loginPage("/" + SecurityUtils.getLoginPage(env)).permitAll())
                .logout(logout -> {
                    logout.logoutUrl("/doLogout").logoutSuccessUrl("/logout");
                    // If CSRF protection is enabled (default), then the request must also be a POST.
                    // This means that by default POST "/logout" is required to trigger a log out.
                    // It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks.
                    // If you really want to use an HTTP GET, you can use logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));
                    logout.logoutRequestMatcher(new AntPathRequestMatcher("/doLogout", "GET"));
                });
5

Or you can logout from the server using the AuthenticationContext#logout: Enabling Security | Security | Vaadin Docs

6

VaadinWebSecurity
This class disables Spring CSRF as it is needed with Vaadin, you do not need to configure it yourself when using VaadinWebSecurity.

7

You mean that we don’t need to disable it anymore? This is what I was trying to accomplish when I got this issue :slightly_smiling_face:

8

Yeah → flow/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurity.java at main · vaadin/flow · GitHub