Revert default for CRSF enabled to false

Fixes gh-12267
7 years ago · c2f7dd86dc
parent 452492183d
commit c2f7dd86dc
4 changed files with 9 additions and 7 deletions
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java
@ -75,7 +75,7 @@ public class SecurityProperties implements SecurityPrerequisite {
 	/**
 	 * Enable Cross Site Request Forgery support.
 	 */
-	private boolean enableCsrf = true;
+	private boolean enableCsrf = false;

 	private Basic basic = new Basic();

--- a/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
+++ b/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/SecurityPropertiesTests.java
@ -123,11 +123,11 @@ public class SecurityPropertiesTests {
 	}

 	@Test
-	public void testCSrf() {
-		assertThat(this.security.isEnableCsrf()).isEqualTo(true);
-		this.binder.bind(new MutablePropertyValues(
-				Collections.singletonMap("security.enable-csrf", false)));
+	public void testCsrf() {
 		assertThat(this.security.isEnableCsrf()).isEqualTo(false);
+		this.binder.bind(new MutablePropertyValues(
+				Collections.singletonMap("security.enable-csrf", true)));
+		assertThat(this.security.isEnableCsrf()).isEqualTo(true);
 	}

 }
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@ -447,7 +447,7 @@ content into your application; rather pick only the properties that you need.
 	security.basic.enabled=true # Enable basic authentication.
 	security.basic.path=/** # Comma-separated list of paths to secure.
 	security.basic.realm=Spring # HTTP basic realm name.
-	security.enable-csrf=true # Enable Cross Site Request Forgery support.
+	security.enable-csrf=false # Enable Cross Site Request Forgery support.
 	security.filter-order=0 # Security filter chain order.
 	security.filter-dispatcher-types=ASYNC, FORWARD, INCLUDE, REQUEST # Security filter chain dispatcher types.
 	security.headers.cache=true # Enable cache control HTTP headers.
--- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
+++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
@ -2536,8 +2536,9 @@ The basic features you get out of the box in a web application are:
 * HTTP Basic security for all other endpoints.
 * Security events published to Spring's `ApplicationEventPublisher` (successful and
  unsuccessful authentication and access denied).
-* Common low-level features (HSTS, XSS, CSRF, caching) provided by Spring Security are
+* Common low-level features (HSTS, XSS, caching) provided by Spring Security are
  on by default.
+* Cross Site Request Forgery (CSRF) checks are disabled by default.

 All of the above can be switched on and off or modified using external properties
 (`+security.*+`). To override the access rules without changing any other auto-configured
@ -2790,6 +2791,7 @@ If the Actuator is also in use, you will find:
 * Security events are transformed into `AuditEvent` instances and published to the
 `AuditEventRepository`.
 * The default user will have the `ACTUATOR` role as well as the `USER` role.
+* Cross Site Request Forgery (CSRF) checks are disabled for actuator endpoints.

 The Actuator security features can be modified using external properties
 (`+management.security.*+`). To override the application access rules