I got it
Now I noticed that you have a permitAll annotation on the controller
Thanks for your help
Is that a problem?
It may if you have enabled method security, but probably it is not your case
Good morning, I stumbled with the same issue after upgrading to Vaadin 24. GET Requests pass through the filter but POST requests are checked against the CSRF Token. After trying the solution on Stack Overflow it worked. The key part is the http.csrf().ignoringRequestMatchers("/youPath/");
o.s.security.web.FilterChainProxy : Securing POST /api/redsys/callback
o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://127.0.0.1:8080/api/redsys/callback
o.s.s.w.access.AccessDeniedHandlerImpl : Responding with 403 status code
o.s.security.web.FilterChainProxy : Securing POST /error
o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using com.vaadin.flow.spring.security.VaadinWebSecurity$$Lambda$1827/0x00000008018b9308@85b5097
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using any request
s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@18360635
o.s.s.web.DefaultRedirectStrategy : Redirecting to http://127.0.0.1:8080/login
Here is the complete configure method for reference:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests().requestMatchers("/api/**").permitAll();
http.csrf().ignoringRequestMatchers("/api/**"); //Had to add this line to ignore CSRF on the endpoints
http.headers().frameOptions().disable();
super.configure(http);
setLoginView(http, LoginView.class, LOGOUT_URL);
}
@PermitAll
This specifically means that allow only authenticated users with all roles.