我正在尝试建立一个与本地spring boot REST应用程序对话的angular 6应用程序。几天之后,我终于能够登录并使用GET请求,该请求似乎使用了正确的cookie。有2个cookie,一个JSESSION cookie和一个XSRF cookie。问题是我从任何POST请求中收到403响应。我非常有信心,我的Spring设置更多的是问题。
以下是相关的Spring Security配置:
@Configuration
public class CORSConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("http://localhost:4200")
.allowCredentials(true)
.allowedHeaders("*")
.allowedMethods("GET", "POST", "*")
.exposedHeaders("Set-Cookie","Authorization");
}
还有
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors()
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/", "/main", "/user", "/runtime.js","/polyfills.js",
"/main.js", "/styles.js", "/vendor.js").permitAll()
.anyRequest().authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().sessionManagement().maximumSessions(1).and()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
请注意,此设置中实际上未使用“ / user”之外的antMatchers。这些文件是使用ng serve在本地提供的。
这是我的角度设置:
@Injectable()
export class AuthenticationInterceptor implements HttpInterceptor{
intercept(req: HttpRequest<any>, next: HttpHandler):
Observable<HttpEvent<any>>
{
const xhr = req.clone({
headers: req.headers.set('X-Requested-With', 'XMLHttpRequest'),
withCredentials: true
});
return next.handle(xhr);
}
此通话将立即生效:
getExercise(id:Number): Observable<Exercise>
{
return this.http.get<Exercise>(environment.baseUrl + '/api/exercise/' + id);
}
但是,这是一个POST,不会。
saveExercise(exercise: Exercise): Observable<Exercise>
{
return this.http.post<Exercise>(environment.baseUrl +
'/newExercise',exercise);
}
这是GET的Spring Security日志:
DEBUG 18776 --- [nio-8080-exec-1] o.s.b.w.s.f.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade@29dbd699
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 18776 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2de4577a
DEBUG 18776 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
DEBUG 18776 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
DEBUG 18776 --- [nio-8080-exec-1] o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@29dbd699
DEBUG 18776 --- [nio-8080-exec-4] o.s.b.w.s.f.OrderedRequestContextFilter : Bound request context to thread: org.apache.catalina.connector.RequestFacade@29dbd699
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@84a2a85a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails@7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 6 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/exercise/2' doesn't match 'POST /logout
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 7 of 14 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails@7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/main'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/user'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/runtime.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/polyfills.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/main.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/styles.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/exercise/2'; against '/vendor.js'
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/exercise/2; Attributes: [authenticated]
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails@7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@74ead523, returned: 1
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
DEBUG 18776 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : /api/exercise/2 reached end of additional filter chain; proceeding with original chain
Getting exercise by ID: 2
DEBUG 18776 --- [nio-8080-exec-4] org.hibernate.SQL : select exercise0_.id as id1_0_0_, exercise0_.instructions as instruct2_0_0_, exercise0_.name as name3_0_0_ from operation_movement.exercises exercise0_ where exercise0_.id=?
DEBUG 18776 --- [nio-8080-exec-4] org.hibernate.SQL : select goaltypes0_.exercise_id as exercise1_1_0_, goaltypes0_.goal_types_id as goal_typ2_1_0_, goaltype1_.id as id1_2_1_, goaltype1_.name as name2_2_1_ from operation_movement.exercises_goal_types goaltypes0_ inner join operation_movement.goaltypes goaltype1_ on goaltypes0_.goal_types_id=goaltype1_.id where goaltypes0_.exercise_id=?
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2de4577a
DEBUG 18776 --- [nio-8080-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
DEBUG 18776 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
DEBUG 18776 --- [nio-8080-exec-4] o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@29dbd699
这是POST的Spring日志,它返回403响应:
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@84a2a85a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails@7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /newExercise at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/newExercise
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@2de4577a
DEBUG 18776 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
DEBUG 18776 --- [nio-8080-exec-7] o.s.b.w.s.f.OrderedRequestContextFilter : Cleared thread-bound request context: org.apache.catalina.connector.RequestFacade@29dbd699
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 18776 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@84a2a85a: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails@7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 6 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/logout'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 7 of 14 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 8 of 14 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 9 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 10 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 11 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails@7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 12 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 13 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/main'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/user'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/runtime.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/polyfills.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/main.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/styles.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/error'; against '/vendor.js'
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /error; Attributes: [authenticated]
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@84a2a85a: Principal: com.op.movement.model.ApplicationUserDetails@7b5de4fa; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Not granted any authorities
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@74ead523, returned: 1
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
DEBUG 18776 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /error reached end of additional filter chain; proceeding with original chain
DEBUG 18776 --- [nio-8080-exec-7] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
DEBUG 18776 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
请让我知道是否有什么我可以提供帮助的。
答案 0 :(得分:5)
对于具有相同问题的任何人,
csrf().disable()
将解决此问题,尽管我不知道为什么。当使用cookie时,春季CSRF和CORS似乎发生了某种冲突...
如果我不得不猜测,以下内容将无法正常工作
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
这很奇怪,因为它直接引用了Angular:
A CsrfTokenRepository that persists the CSRF token in a cookie named "XSRF-TOKEN" and
reads from the header "X-XSRF-TOKEN" following the conventions of AngularJS. When
using with AngularJS be sure to use withHttpOnlyFalse().
以上似乎是正确的-我看到CSRF令牌是由浏览器设置并发送的,但是Spring并不接受它为有效令牌。 (请参阅上面的日志)
Invalid CSRF token found for http://localhost:8080/newExercise
Request Cookies
JSESSIONID 31AD5A7891F8BB83072BFC040AABBB35
XSRF-TOKEN 579db734-412c-4ce8-82a2-20aa097e47f
目前,禁用CSRF可以用于开发,但是在现实世界中有一个用例,可以通过单独的服务器为我的角度应用程序提供服务,该服务器是唯一可以向我的spring服务器发出请求的服务器。希望其他信息可以对某人有所帮助,如果我能找到答案,我将尝试在此处发布真实答案。
答案 1 :(得分:2)
尝试将.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())替换为csrfTokenRepository和CsrfFilter:
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
请参见full answer
@Override protected void configure(HttpSecurity http) throws Exception { http.httpBasic().and().authorizeRequests() .antMatchers("/send-pin").permitAll() .antMatchers("/check-pin").permitAll() .antMatchers("/index.html", "/", "/login", "/someotherrurl") .permitAll().anyRequest().authenticated().and().csrf() .csrfTokenRepository(csrfTokenRepository()).and() .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);