Hi Tony,
thanks for this.
So the spring code already contained the crsf code. Is that not working
properly?
------ Original Message ------
From: "Tony Harris" <Tony.Harris(a)oneadvanced.com>
To: "John Norris" <johnnorris-10(a)outlook.com>;
"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Sent: 11/11/2019 12:18:43
Subject: RE: Spring Boot and Keycloak
I have seen 403 responses when the CSRF token is not sent with the
request.
The Spring security code is
protected void configure(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/**").hasRole("user")
.antMatchers("/", "/login**", "/unpkg.com/**",
"/cdn.jsdelivr.net","/error**","/*.js","/*.css")
.permitAll()
.anyRequest()
.authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}