Enable CSRF-Protection possible and update samples

closes codecentric#805

Author: joshiste

spring-boot-admin-docs/src/main/asciidoc/security.adoc

@@ -11,6 +11,13 @@ A Spring Security configuration could look like this:
 ----
 include::{samples-dir}/spring-boot-admin-sample-servlet/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java[tags=configuration-spring-security]
 ----
+<1> Grants public access to all static assets and the login page.
+<2> Every other request must be authenticated.
+<3> Configures login and logout.
+<4> Enables HTTP-Basic support. This is needed for the Spring Boot Admin Client to register.
+<5> Enables CSRF-Protection using Cookies
+<6> Disables CRSF-Protection the endpoint the Spring Boot Admin Client uses to register.
+<7> Disables CRSF-Protection for the actuator endpoints.
 
 For a complete sample look at https://github.com/codecentric/spring-boot-admin/tree/master/spring-boot-admin-samples/spring-boot-admin-sample-servlet/[spring-boot-admin-sample-servlet.
 
@@ -50,3 +57,16 @@ WARNING: You should configure HTTPS for your SBA Server or (service registry) wh
 WARNING: When using Spring Cloud Discovery, you must be aware that anybody who can query your service registry can obtain the credentials.
 
 TIP: When using this approach the SBA Server decides whether or not the user can access the registered applications. There are more complex solutions possible (using OAuth2) to let the clients decide if the user can access the endpoints. For that please have a look at the samples in https://github.com/joshiste/spring-boot-admin-samples[joshiste/spring-boot-admin-samples^].
+
+==== CSRF on Actuator Endpoints ====
+
+Some of the actuator endpoints (e.g. `/loggers`) support POST requests. When using Spring Security you need to ignore the actuator endpoints for CSRF-Protection as the Spring Boot Admin Server currently lacks support.
+
+[source,java]
+----
+@Override
+protected void configure(HttpSecurity http) throws Exception {
+ http.csrf()
+ .ignoringAntMatchers("/actuator/**");
+}
+----

spring-boot-admin-samples/spring-boot-admin-sample-consul/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -39,8 +40,13 @@ public class SpringBootAdminApplication {
  public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
- http.authorizeRequests().anyRequest().permitAll()//
- .and().csrf().disable();
+ http.authorizeRequests()
+ .anyRequest()
+ .permitAll()
+ .and()
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  }
  }
 
@@ -67,7 +73,9 @@ protected void configure(HttpSecurity http) throws Exception {
  .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
  .logout().logoutUrl(adminContextPath + "/logout").and()
  .httpBasic().and()
- .csrf().disable();
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  // @formatter:on
  }
  }

spring-boot-admin-samples/spring-boot-admin-sample-eureka/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -42,8 +43,13 @@ public static void main(String[] args) {
  public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
- http.authorizeRequests().anyRequest().permitAll()//
- .and().csrf().disable();
+ http.authorizeRequests()
+ .anyRequest()
+ .permitAll()
+ .and()
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  }
  }
 
@@ -70,7 +76,9 @@ protected void configure(HttpSecurity http) throws Exception {
  .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
  .logout().logoutUrl(adminContextPath + "/logout").and()
  .httpBasic().and()
- .csrf().disable();
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  // @formatter:on
  }
  }

spring-boot-admin-samples/spring-boot-admin-sample-hazelcast/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import com.hazelcast.config.Config;
 import com.hazelcast.config.EvictionPolicy;
 import com.hazelcast.config.InMemoryFormat;
@@ -50,8 +51,13 @@ public Config hazelcastConfig() {
  public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
- http.authorizeRequests().anyRequest().permitAll()//
- .and().csrf().disable();
+ http.authorizeRequests()
+ .anyRequest()
+ .permitAll()
+ .and()
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  }
  }
 
@@ -78,7 +84,9 @@ protected void configure(HttpSecurity http) throws Exception {
  .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
  .logout().logoutUrl(adminContextPath + "/logout").and()
  .httpBasic().and()
- .csrf().disable();
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  // @formatter:on
  }
  }

spring-boot-admin-samples/spring-boot-admin-sample-servlet/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -42,6 +42,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -59,8 +60,13 @@ public static void main(String[] args) {
  public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
- http.authorizeRequests().anyRequest().permitAll()//
- .and().csrf().disable();
+ http.authorizeRequests()
+ .anyRequest()
+ .permitAll()
+ .and()
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  }
  }
 
@@ -81,14 +87,19 @@ protected void configure(HttpSecurity http) throws Exception {
  successHandler.setTargetUrlParameter("redirectTo");
 
  http.authorizeRequests()
- .antMatchers(adminContextPath + "/assets/**").permitAll()
+ .antMatchers(adminContextPath + "/assets/**").permitAll() // <1>
  .antMatchers(adminContextPath + "/login").permitAll()
- .anyRequest().authenticated()
+ .anyRequest().authenticated() // <2>
  .and()
- .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
+ .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and() // <3>
  .logout().logoutUrl(adminContextPath + "/logout").and()
- .httpBasic().and()
- .csrf().disable();
+ .httpBasic().and() // <4>
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) // <5>
+ .ignoringAntMatchers(
+ "/instances", // <6>
+ "/actuator/**" // <7>
+ );
  // @formatter:on
  }
  }

spring-boot-admin-samples/spring-boot-admin-sample-war/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -28,6 +28,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -44,8 +45,13 @@ protected SpringApplicationBuilder configure(SpringApplicationBuilder applicatio
  public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
- http.authorizeRequests().anyRequest().permitAll()//
- .and().csrf().disable();
+ http.authorizeRequests()
+ .anyRequest()
+ .permitAll()
+ .and()
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  }
  }
 
@@ -72,7 +78,9 @@ protected void configure(HttpSecurity http) throws Exception {
  .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
  .logout().logoutUrl(adminContextPath + "/logout").and()
  .httpBasic().and()
- .csrf().disable();
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  // @formatter:on
  }
  }

spring-boot-admin-samples/spring-boot-admin-sample-zookeeper/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -38,8 +39,13 @@ public class SpringBootAdminApplication {
  public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
- http.authorizeRequests().anyRequest().permitAll()//
- .and().csrf().disable();
+ http.authorizeRequests()
+ .anyRequest()
+ .permitAll()
+ .and()
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  }
  }
 
@@ -66,7 +72,9 @@ protected void configure(HttpSecurity http) throws Exception {
  .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
  .logout().logoutUrl(adminContextPath + "/logout").and()
  .httpBasic().and()
- .csrf().disable();
+ .csrf()
+ .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+ .ignoringAntMatchers("/instances", "/actuator/**");
  // @formatter:on
  }
  }

spring-boot-admin-server-ui/src/main/frontend/login.html

@@ -38,6 +38,10 @@
  </figure>
  <h1 class="title has-text-primary">Spring Boot Admin</h1>
  <form method="post">
+ <input type="hidden"
+ th:if="${_csrf}"
+ th:name="${_csrf.parameterName}"
+ th:value="${_csrf.token}"/>
  <div class="field">
  <p class="is-medium has-text-danger" th:unless="${param.error == null}">
  Invalid username or password

spring-boot-admin-server-ui/src/main/frontend/services/instance.js

@@ -21,9 +21,11 @@ import {Observable} from '@/utils/rxjs'
 import uri from '@/utils/uri';
 import _ from 'lodash';
 
-const actuatorMimeTypes = ['application/vnd.spring-boot.actuator.v2+json',
+const actuatorMimeTypes = [
+ 'application/vnd.spring-boot.actuator.v2+json',
  'application/vnd.spring-boot.actuator.v1+json',
- 'application/json'];
+ 'application/json'
+];
 
 class Instance {
  constructor(id) {