Loading...

XML

Word

Printable

Type: New Feature
Resolution: Done
Priority: Normal
Fix Version/s: 10.2.0
Affects Version/s: 9.6.3
Component/s: None
Labels:
- security
- zk10todo

Safety specification requirements:
None

User Story

As an app dev, I want to use Spring Security default CSRF to secure my application's requests.

Acceptance Criteria

provide a way to make ZK works with Spring Security CSRF without problems.
If this feature we provide is very specific to spring, we should put this feature into zkspring, to fix ~~ZKSPRING-55~~

Details

When using spring security with ZK, app devs have to disable CSRF currently like https://github.com/zkoss/zkspring/blob/master/zkspringessentials/zkspringcoresec/src/main/java/org/zkoss/zkspringessentials/config/SecurityConfig.java#L23 because au request doesn't contain this token and will be rejected by spring security filter. ZK should provide a way to work with this feature.

relates to

ZK-4978 avoid sending sensitive data in url parameters

Open

ZKSPRING-55 Support for Spring Security default CSFR /zkau error 403 access denied

Closed

ZK-5461 Provide easy-to-override headers functions to client-side request emmitors

Closed

Assignee:: rebeccalai
Reporter:: hawk
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: 14/Apr/23 4:24 AM
Updated:: 17/Apr/25 7:35 AM
Resolved:: 17/Apr/25 7:35 AM