Matt Raible
To overcome the issue with CSRF, you have to configure Spring Security to send the token in a cookie that Angular can read. By default, it’s in an HTTP-only cookie and JavaScript can’t read it.
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}
If you’re using Angular, that should be all you need to do. It supports XSRF Protection in its HttpClient.
I’m guessing your Spring Boot app is version 1.5.x? The reason I ask is because @EnableOAuth2Sso is no longer recommended in Spring Boot 2.x. See Migrate Your Spring Boot App to the Latest and Greatest Spring Security and OAuth 2.0.
You might be interested in my Java Microservices with Spring Boot and Spring Cloud tutorial too. It doesn’t have an Angular client, but it shows how to configure the backend for OAuth with our latest bits and Spring Boot 2.1.5.