Description of the false positive
Given a SpringBoot application that acts solely as an API/OIDC Resource Server and does not utilize cookies or state, where CSRF is disabled, the CodeQL / Disabled Spring CSRF protection should not be triggered.
Code samples or links to source code
@Bean
SecurityFilterChain securityFilterChain(
final HttpSecurity http,
final String privateScope,
final AppUserPrincipalJwtAuthenticationConverter appUserPrincipalJwtAuthenticationConverter) {
http.formLogin(AbstractHttpConfigurer::disable)
.httpBasic(AbstractHttpConfigurer::disable)
.csrf(AbstractHttpConfigurer::disable) // NOSONAR stateless JWT, no CSRF cookies
.logout(AbstractHttpConfigurer::disable)
.sessionManagement(
session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(
authorize ->
authorize
.dispatcherTypeMatchers(DispatcherType.ERROR, DispatcherType.FORWARD)
.permitAll()
.requestMatchers(RuntimeEndpointPaths.unauthenticatedPaths())
.permitAll()
.requestMatchers(
new RegexRequestMatcher(
RuntimeEndpointPaths.versionedInternalRouteRegex(), null))
.access(interactiveUserAuthorizationManager())
.requestMatchers(
new RegexRequestMatcher(
RuntimeEndpointPaths.versionedPrivateRouteRegex(), null))
.access(
callerTypeAuthorizationManager(
OidcCallerType.CLIENT_CREDENTIALS, privateScope))
.anyRequest()
.authenticated())
.oauth2ResourceServer(
oauth2 ->
oauth2.jwt(
jwt ->
jwt.jwtAuthenticationConverter(
appUserPrincipalJwtAuthenticationConverter)));
return http.build();
}
Description of the false positive
Given a SpringBoot application that acts solely as an API/OIDC Resource Server and does not utilize cookies or state, where CSRF is disabled, the
CodeQL / Disabled Spring CSRF protectionshould not be triggered.Code samples or links to source code