问题

I develop a project with Jhipster framework (Angular 10 + Spring boot) and I have need a file manager. So I was choose Ckfinder. The server side in java works well in a microservice (Before, I have generated Jhipster microservice and I have adapted with sping boot app). The client side of ckfinder is already inside the dependency. So when I test the microservice on the host "http://localhost:8090/" all works. But I want to pass by my gateway, So I test on "http://localhost:8080/service/media/" with ckeditor configured as :

CKEDITOR.replace( 'editor1', {
    filebrowserBrowseUrl: '/service/media/ckfinder/static/ckfinder.html'
} );

But I have an normal error on the path connector which is wrong. So I have manually installed the client side in "/content/plugins/ckfinder" in media service to edit config.js file (I cannot modify the ckfinder config in compile jar). So I have change url in ckeditor :

CKEDITOR.replace( 'editor1', {
    filebrowserBrowseUrl: '/service/media/content/plugins/ckfinder/ckfinder.html'
} );

And I have add this to the config.js :

config.connectorPath = '/service/media/connector';

This allow to get the file manager without error. But when I tried to rename, upload, ... (method POST) an error occured. The csrf token server side is missing in the request parameters or header. It's normal because Angular 10 manage automaticaly the csrf with spring boot (generated with jhipster) and all method post have need a csrf token. And ckfinder.html is outside of angular so no csrf is renseigned I have tried to config ckfinder with :

config.connectorInfo = '_csrf=7901a26e4bc422aef54eb45';

This works but the config is static and not works for a dynamic token.

I would like to disable the csrf of spring boot but I tried many solution on the web and nothing works. I use jhipster for generate the micro service and gateway with a UAA server. So this is my configuration of security :

@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter {
    private final OAuth2Properties oAuth2Properties;

    public SecurityConfiguration(OAuth2Properties oAuth2Properties) {
        this.oAuth2Properties = oAuth2Properties;
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .headers()
            .frameOptions()
            .disable()
        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()
            .antMatchers("/api/**").authenticated()
            .antMatchers("/management/health").permitAll()
            .antMatchers("/management/info").permitAll()
            .antMatchers("/management/prometheus").permitAll()
            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN);
    }

    @Bean
    public TokenStore tokenStore(JwtAccessTokenConverter jwtAccessTokenConverter) {
        return new JwtTokenStore(jwtAccessTokenConverter);
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter(OAuth2SignatureVerifierClient signatureVerifierClient) {
        return new OAuth2JwtAccessTokenConverter(oAuth2Properties, signatureVerifierClient);
    }

    @Bean
    @Qualifier("loadBalancedRestTemplate")
    public RestTemplate loadBalancedRestTemplate(RestTemplateCustomizer customizer) {
        RestTemplate restTemplate = new RestTemplate();
        customizer.customize(restTemplate);
        return restTemplate;
    }
}

I thinks the csrf cannot be disable with the jwt OAuth2, no ? And I have realy need of the authentication of uua because the fonctionalities of ckfinder is not same with the role in the jwt.

Thanks to say me if I not the good method to do works ckfinder. I have find another idea to keep the csrf but I have a problem with angular look this.

Don't hesitate if you want more details. Thank you for your help.

Solution

The solution that I found works, no need to disable the csrf. Keep the client of ckfiner and Change directly the source code of ckfinder.js. Search 'connectorInfo' and before 'r.connectorInfo' add :