I'm creating a project with spring using spring security but I'm having problem only with my api (all controllers are working correctly with csrf). But it seems like the csrf is causing problems to my api, because when I make a request to my api i get:
[{"id":1,"titulo":"vineta3","creationdate":1489329545000,"URL":"http://i2.kym-cdn.com/photos/images/facebook/000/125/918/RMUBQ.png","likes":0,"dislikes":0,"descripcion":"des3"},{"id":2,"titulo":"vineta4","creationdate":1489329545000,"URL":"http://i0.kym-cdn.com/photos/images/newsfeed/000/125/163/ragek.jpg?1318992465","likes":0,"dislikes":0,"descripcion":"des4"}]{"timestamp":1489329557093,"status":200,"error":"OK","exception":"java.lang.NullPointerException","message":"No message available","path":"/api/vinetas2/"}
The last info:
"timestamp":1489329557093,"status":200,"error":"OK","exception":"java.lang.NullPointerException","message":"No message available","path":"/api/vinetas2/"
is not returning when my project has not spring secutiry. I'm using the next code for my security configuration.
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public UserRepositoryAuthenticationProvider authenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
// Public pages
http.authorizeRequests().antMatchers("/").permitAll();
http.authorizeRequests().antMatchers("/login").permitAll();
http.authorizeRequests().antMatchers("/loginerror").permitAll();
http.authorizeRequests().antMatchers("/registro").permitAll();
http.authorizeRequests().antMatchers("/signup").permitAll();
http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/**").permitAll();
// Private pages (all other pages)
http.authorizeRequests().antMatchers("/home").hasAnyRole("USER");
//http.authorizeRequests().antMatchers("/crearComentario/vineta/{id}").hasAnyRole("USER");
// Login form
http.formLogin().loginPage("/login");
http.formLogin().usernameParameter("username");
http.formLogin().passwordParameter("password");
http.formLogin().defaultSuccessUrl("/home");
http.formLogin().failureUrl("/loginerror");
// Logout
http.logout().logoutUrl("/logout");
http.logout().logoutSuccessUrl("/");
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
// Database authentication provider
auth.authenticationProvider(authenticationProvider);
}
}
and the next for my csrf:
@Configuration
public class CSRFHandlerConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new CSRFHandlerInterceptor());
}
}
class CSRFHandlerInterceptor extends HandlerInterceptorAdapter {
@Override
public void postHandle(final HttpServletRequest request,
final HttpServletResponse response, final Object handler,
final ModelAndView modelAndView) throws Exception {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
modelAndView.addObject("token", token.getToken());
}
}