Hello, We are working on a new application which is using Spring Security (Spring Boot 3.5.3) and Wicket (10.5.0), and we're encountering some issues with Spring CSRF:
Based on Wicket documentation for CSRFprevention, we have the following in our WebApplication init(): ``` setRootRequestMapper(new CryptoMapper(getRootRequestMapper(), this)); getRequestCycleListeners().add(new ResourceIsolationRequestCycleListener()); ``` Then, on the side of Spring Security, we have CSRF enabled (default behavior). With Spring CSRF enabled, all of our form ajax requests fail silently with a 403 forbidden error being logged in dev tools: ``` Request URL: http://localhost:8080/myapp/{encryptedurl} Request Method: POST Status Code: 403 Forbidden Remote Address: [::1]:8080 Referrer Policy: strict-origin-when-cross-origin ``` My request headers contains a cookie with the XSRF-TOKEN, but this is not being leveraged in any way currently. If I disable Spring CSRF, everything works as expected. Based on the research I've done for this, I need to essentially add an 'X-XSRF-TOKEN' request header which contains the value of my xsrf-token cookie value but I couldn't find a Wicket hook to be able to do this and had a few questions: 1. Should we be enabling Spring CSRF in conjunction with Wicket's CSRF prevention mechanism? 2. If so, is there some hook to make these two work together seamlessly? I was trying to address this via various listeners in my web application init, but was unsuccessful. We're hoping since Spring is such a popular framework, someone else has experienced this / there's a clean solution. Please let me know if you need anymore information and thank you for your time. Thank you, Jonathan Babie Notice: This communication, including any attachments, is intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient, you are requested not to disclose, copy, distribute or take any action in reliance on the contents of this information.
