Spring security with google cloud endpoints

0
votes

We have a project (contains a web backend and a mobile api backend) hosted using google app engine (we also using cloud endpoints).

We use spring framework for the web application, mvc & security.

The problem now is that once I enable <csrf/> in our security.xml, the cloud endpoints project will also require a token because of this setting.

<http auto-config="true">
        <intercept-url pattern="/" access="ROLE_USER" />
        <form-login 
            login-page="/login" 
            default-target-url="/welcome" 
            authentication-failure-url="/login?error" 
            username-parameter="email"
            password-parameter="password" />
        <logout logout-success-url="/login?logout" />
        <!-- enable csrf protection -->
        <!-- <csrf/> -->
    </http>

Is that possible to config only certain folder or certain controller require this <csrf/> protection? Because I just want this csrf setting to protect my web backend.

1
google-app-enginespring-securitygoogle-cloud-endpoints

1 Answers

0
votes

Have a separate URI structure for mobile apis like for example "api/mob/getPostsByUserId" and create a new http tag in spring-security config file as 

 <http auto-config="false" pattern="/mob/**">
   //.. your other settings
 </http>