I have a SpringBoot webapp, and it's working OK for API users to access by first "logging in" via the URI http://localhost:8081/loginRest
My WebSecurityConfig looks like this:
http.csrf().disable().authorizeHttpRequests((requests) -> requests .requestMatchers("/", "/home", "/css/**", "/js/**", "/img/**", "/loginRest" ).permitAll() .anyRequest().authenticated()) .formLogin((form) -> form .loginPage("/login").successHandler(authSuccessHandler) .permitAll()) .logout((logout) -> logout.permitAll());If I now want to enable CSRF protection for my Forms, I change it as follows:
http.csrf(Customizer.withDefaults()).authorizeHttpRequests((requests) -> requests .requestMatchers("/", "/home", "/css/**", "/js/**", "/img/**", "/loginRest", ...Which works fine for my HTML pages and Forms, but also prevent POST requests to the /loginRest endpoint. What's the correct way to handle CSRF in this scenario? Do I need to make a GET request first, to read the CSRF value?