Enable CSRF-Protection possible and update samples

spring-boot-admin-docs/src/main/asciidoc/security.adoc

@@ -11,6 +11,13 @@ A Spring Security configuration could look like this:
 ----
 include::{samples-dir}/spring-boot-admin-sample-servlet/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java[tags=configuration-spring-security]
 ----
+<1> Grants public access to all static assets and the login page.
+<2> Every other request must be authenticated.
+<3> Configures login and logout.
+<4> Enables HTTP-Basic support. This is needed for the Spring Boot Admin Client to register.
+<5> Enables CSRF-Protection using Cookies
+<6> Disables CRSF-Protection the endpoint the Spring Boot Admin Client uses to register.
+<7> Disables CRSF-Protection for the actuator endpoints.
 
 For a complete sample look at https://github.com/codecentric/spring-boot-admin/tree/master/spring-boot-admin-samples/spring-boot-admin-sample-servlet/[spring-boot-admin-sample-servlet.
 
@@ -50,3 +57,16 @@ WARNING: You should configure HTTPS for your SBA Server or (service registry) wh
 WARNING: When using Spring Cloud Discovery, you must be aware that anybody who can query your service registry can obtain the credentials.
 
 TIP: When using this approach the SBA Server decides whether or not the user can access the registered applications. There are more complex solutions possible (using OAuth2) to let the clients decide if the user can access the endpoints. For that please have a look at the samples in https://github.com/joshiste/spring-boot-admin-samples[joshiste/spring-boot-admin-samples^].
+
+==== CSRF on Actuator Endpoints ====
+
+Some of the actuator endpoints (e.g. `/loggers`) support POST requests. When using Spring Security you need to ignore the actuator endpoints for CSRF-Protection as the Spring Boot Admin Server currently lacks support.
+
+[source,java]
+----
+@Override
+protected void configure(HttpSecurity http) throws Exception {
+    http.csrf()
+        .ignoringAntMatchers("/actuator/**");
+}
+----

spring-boot-admin-samples/spring-boot-admin-sample-consul/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -39,8 +40,13 @@ public class SpringBootAdminApplication {
     public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.authorizeRequests().anyRequest().permitAll()//
-                .and().csrf().disable();
+            http.authorizeRequests()
+                .anyRequest()
+                .permitAll()
+                .and()
+                .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
         }
     }
 
@@ -67,7 +73,9 @@ public class SpringBootAdminApplication {
             .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
             .logout().logoutUrl(adminContextPath + "/logout").and()
             .httpBasic().and()
-            .csrf().disable();
+            .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
             // @formatter:on
         }
     }

spring-boot-admin-samples/spring-boot-admin-sample-eureka/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -42,8 +43,13 @@ public class SpringBootAdminApplication {
     public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.authorizeRequests().anyRequest().permitAll()//
-                .and().csrf().disable();
+            http.authorizeRequests()
+                .anyRequest()
+                .permitAll()
+                .and()
+                .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
         }
     }
 
@@ -70,7 +76,9 @@ public class SpringBootAdminApplication {
             .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
             .logout().logoutUrl(adminContextPath + "/logout").and()
             .httpBasic().and()
-            .csrf().disable();
+            .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
             // @formatter:on
         }
     }

spring-boot-admin-samples/spring-boot-admin-sample-hazelcast/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import com.hazelcast.config.Config;
 import com.hazelcast.config.EvictionPolicy;
 import com.hazelcast.config.InMemoryFormat;
@@ -50,8 +51,13 @@ public class SpringBootAdminApplication {
     public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.authorizeRequests().anyRequest().permitAll()//
-                .and().csrf().disable();
+            http.authorizeRequests()
+                .anyRequest()
+                .permitAll()
+                .and()
+                .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
         }
     }
 
@@ -78,7 +84,9 @@ public class SpringBootAdminApplication {
             .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
             .logout().logoutUrl(adminContextPath + "/logout").and()
             .httpBasic().and()
-            .csrf().disable();
+            .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
             // @formatter:on
         }
     }

spring-boot-admin-samples/spring-boot-admin-sample-servlet/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -42,6 +42,7 @@ import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -59,8 +60,13 @@ public class SpringBootAdminApplication {
     public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.authorizeRequests().anyRequest().permitAll()//
-                .and().csrf().disable();
+            http.authorizeRequests()
+                .anyRequest()
+                .permitAll()
+                .and()
+                .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
         }
     }
 
@@ -81,14 +87,19 @@ public class SpringBootAdminApplication {
             successHandler.setTargetUrlParameter("redirectTo");
 
             http.authorizeRequests()
-                .antMatchers(adminContextPath + "/assets/**").permitAll()
+                .antMatchers(adminContextPath + "/assets/**").permitAll() // <1>
                 .antMatchers(adminContextPath + "/login").permitAll()
-                .anyRequest().authenticated()
+                .anyRequest().authenticated() // <2>
                 .and()
-            .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
+            .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and() // <3>
             .logout().logoutUrl(adminContextPath + "/logout").and()
-            .httpBasic().and()
-            .csrf().disable();
+            .httpBasic().and() // <4>
+            .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())  // <5>
+                .ignoringAntMatchers(
+                    "/instances",   // <6>
+                    "/actuator/**"  // <7>
+                );
             // @formatter:on
         }
     }

spring-boot-admin-samples/spring-boot-admin-sample-war/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -28,6 +28,7 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -44,8 +45,13 @@ public class SpringBootAdminApplication extends SpringBootServletInitializer {
     public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.authorizeRequests().anyRequest().permitAll()//
-                .and().csrf().disable();
+            http.authorizeRequests()
+                .anyRequest()
+                .permitAll()
+                .and()
+                .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
         }
     }
 
@@ -72,7 +78,9 @@ public class SpringBootAdminApplication extends SpringBootServletInitializer {
             .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
             .logout().logoutUrl(adminContextPath + "/logout").and()
             .httpBasic().and()
-            .csrf().disable();
+            .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
             // @formatter:on
         }
     }

spring-boot-admin-samples/spring-boot-admin-sample-zookeeper/src/main/java/de/codecentric/boot/admin/SpringBootAdminApplication.java

@@ -27,6 +27,7 @@ import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 
 @Configuration
 @EnableAutoConfiguration
@@ -38,8 +39,13 @@ public class SpringBootAdminApplication {
     public static class SecurityPermitAllConfig extends WebSecurityConfigurerAdapter {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
-            http.authorizeRequests().anyRequest().permitAll()//
-                .and().csrf().disable();
+            http.authorizeRequests()
+                .anyRequest()
+                .permitAll()
+                .and()
+                .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
         }
     }
 
@@ -66,7 +72,9 @@ public class SpringBootAdminApplication {
             .formLogin().loginPage(adminContextPath + "/login").successHandler(successHandler).and()
             .logout().logoutUrl(adminContextPath + "/logout").and()
             .httpBasic().and()
-            .csrf().disable();
+            .csrf()
+                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+                .ignoringAntMatchers("/instances", "/actuator/**");
             // @formatter:on
         }
     }

spring-boot-admin-server-ui/src/main/frontend/login.html

@@ -38,6 +38,10 @@
                     </figure>
                     <h1 class="title has-text-primary">Spring Boot Admin</h1>
                     <form method="post">
+                        <input type="hidden"
+                               th:if="${_csrf}"
+                               th:name="${_csrf.parameterName}"
+                               th:value="${_csrf.token}"/>
                         <div class="field">
                             <p class="is-medium has-text-danger" th:unless="${param.error == null}">
                                 Invalid username or password

spring-boot-admin-server-ui/src/main/frontend/services/instance.js

@@ -21,9 +21,11 @@ import {Observable} from '@/utils/rxjs'
 import uri from '@/utils/uri';
 import _ from 'lodash';
 
-const actuatorMimeTypes = ['application/vnd.spring-boot.actuator.v2+json',
+const actuatorMimeTypes = [
+  'application/vnd.spring-boot.actuator.v2+json',
   'application/vnd.spring-boot.actuator.v1+json',
-  'application/json'];
+  'application/json'
+];
 
 class Instance {
   constructor(id) {