Hi guys,

We have just now started a new project with Spring and Hibernate. We should provide them the admin panel and REST API's. I recently implemented Spring security in the project. Since CSRF is enabled by default, when API is hit it asks for CSRF token. Incase I decide to remove the login form and CSRF from spring security, my admin panel will get affected. What do I do in this case? Also I read about cookie based authentication for REST API's but the articles were not clear. Can some one guide me through this?

Here is the code snippet I using for spring security.
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/admin/**") .access("hasRole('ADMIN')").and().formLogin() .loginPage("/login").failureUrl("/login?error") .usernameParameter("username") .passwordParameter("password") .and().logout().logoutSuccessUrl("/login?logout") .and().exceptionHandling().accessDeniedPage("/403"); } @Bean public BCryptPasswordEncoder passwordEncoder(){ BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(); return encoder; }

Why would you want to remove the CSRF token?

Cookie based authentication pretty much just works by storing the currently logged-in user in a signed cookie. When the browser sends such a cookie to the server, it says "Hey, I previously logged in as this user, so don't ask me for a password again". To prevent a client from forging the user name, the cookie is signed so it can be verified by the server.