Loading...

XML

Word

Printable

Type: New Feature
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 9.6.3
Component/s: None
Labels:
- security

User Story

As an app dev, I want to use Spring Security default CSRF to secure my application's requests.

Acceptance Criteria

provide a way to make ZK works with Spring Security CSRF without problems.
If this feature we provide is very specific to spring, we should put this feature into zkspring, to fix ZKSPRING-55

Details

When using spring security with ZK, app devs have to disable CSRF currently like https://github.com/zkoss/zkspring/blob/master/zkspringessentials/zkspringcoresec/src/main/java/org/zkoss/zkspringessentials/config/SecurityConfig.java#L23 because au request doesn't contain this token and will be rejected by spring security filter. ZK should provide a way to work with this feature.

relates to

ZK-4978 avoid sending sensitive data in url parameters

Open

ZKSPRING-55 Support for Spring Security default CSFR /zkau error 403 access denied

Open

Assignee:: Unassigned

Reporter:: hawk

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 14/Apr/23 4:24 AM

Updated:: 14/Apr/23 6:16 AM