Problem with removing code that disables Spring boot CSRF

Hi!
We are upgrading from Vaadin 14 to Vaadin 24.

In our SecurityConfiguration we used to turn off the Spring boot csrf but I read that we should not need this after Vaadin 21.

The code below is working fine until I remove http.csrf(AbstractHttpConfigurer::disable)
If I remove it and try to logout I get:
Could not navigate to 'doLogout'

@EnableWebSecurity
@Configuration
@Profile(value = {"local-development-security"})
public class LocalDevelopmentSecurityConfiguration extends VaadinWebSecurity {

    @Autowired
    private Environment env;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(requests ->
                        requests.requestMatchers(UIUtils::isFrameworkInternalRequest).permitAll()
                                .requestMatchers("/frontend/**", "/frontend-es5/**", "/frontend-es6/**", "/VAADIN/**",
                                        "/login_error*", "/logout", "/timeout", "/diagnostics/**",
                                        "/test-authenticate*", "/offline-stub.html", "/sw-runtime-resources-precache.js")
                                .permitAll()
                )
                .formLogin(login -> login.loginPage("/" + SecurityUtils.getLoginPage(env)).permitAll())
                .logout(logout -> logout.logoutUrl("/doLogout").logoutSuccessUrl("/logout"));

        super.configure(http);
        http.csrf(AbstractHttpConfigurer::disable); // use Vaadin's CSRF protection instead.
        SecurityUtils.disableViewAccessChecker(getViewAccessChecker());
    }
}

Adding “/doLogout” to requestMatchers permitAll() doesn’t help

How do you logout from the application?

Ok I found out what was the issue. We’re using GET request for logging out and with CSRF enabled this was not possible without adding

http.authorizeHttpRequests(requests ->
                        requests.requestMatchers(UIUtils::isFrameworkInternalRequest).permitAll()
                                .requestMatchers("/frontend/**", "/frontend-es5/**", "/frontend-es6/**", "/VAADIN/**",
                                        "/login_error*", "/logout", "/timeout", "/diagnostics/**",
                                        "/test-authenticate*", "/offline-stub.html", "/sw-runtime-resources-precache.js")
                                .permitAll()
                )
                .formLogin(login -> login.loginPage("/" + SecurityUtils.getLoginPage(env)).permitAll())
                .logout(logout -> {
                    logout.logoutUrl("/doLogout").logoutSuccessUrl("/logout");
                    // If CSRF protection is enabled (default), then the request must also be a POST.
                    // This means that by default POST "/logout" is required to trigger a log out.
                    // It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks.
                    // If you really want to use an HTTP GET, you can use logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));
                    logout.logoutRequestMatcher(new AntPathRequestMatcher("/doLogout", "GET"));
                });

Or you can logout from the server using the AuthenticationContext#logout: Enabling Security | Security | Vaadin Docs

VaadinWebSecurity
This class disables Spring CSRF as it is needed with Vaadin, you do not need to configure it yourself when using VaadinWebSecurity.

You mean that we don’t need to disable it anymore? This is what I was trying to accomplish when I got this issue :slightly_smiling_face:

Yeah → flow/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurity.java at main · vaadin/flow · GitHub