POST Request requires CSRF token

I have successfully implemented a SpringBoot web application integrated with Keycloak 9.0.2 using the “https://www.keycloak.org/docs/9.0/securing_apps/index.html#_spring_security_adapter” instructions.

Surprisingly, this works perfectly well for GET requests only.
When my web pages try to make a POST request to the server, I am getting a server failure for missing CSRF filter token.

I was able to bypass this error by overriding the behavior of org.keycloak.adapters.springsecurity.filter.KeycloakCsrfRequestMatcher adding “POST” to “allowedMethods” but I feel this is neither elegant nor compliant.

My argument is that since my browser has already been authenticated, any request to my server should be treated as authenticated.

Is there a proper way for handling POST requests from authenticated web pages?

Cancel this post.

I have been driving down the wrong direction.

CSRF handling was my problem finally and I have now implemented it accordingly.

hi @eliasbalasis,
I have the same issue. And I also have a problem with csrf configuration. but I don’t know how to solve it. can you show me the csrf configuration?

in my initial configuration: csrf was disabled:

 public class keycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.cors().and().csrf().disable();
        http.cors().and().csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests()
                .antMatchers("/#",
                 )
                .permitAll()
                .anyRequest().authenticated();
    }