Programmatically Disable CSRF for x-auth-token

[rwinch]

We should provide a way for Spring Session to programmatically disable Spring Security's CSRF support on requests in which x-auth-token is used for establishing the session.

We could perhaps disable CSRF in Spring Security when:

• x-auth-token is provided
• No cookies are present (specifically JSESSIONID, but remember the cookie name can be configured)

We should be mindful of how this works in a CORS scenario.

If changes are made to Spring Security we should be mindful of how this will work in an OAuth Scenario

[jjzazuet]

Hi @rwinch . Just wanted to check what's the team's preference on this issue since I'm working on a REST service code base accepting GET and POST requests. So I don't know what's the recommended setting when using x-auth-token in a Spring Session based REST service.

Should I handle both tokens on the client side? Thanks!

[jjzazuet]

Found some bits of discussion here: http://stackoverflow.com/questions/36697478/csrf-protection-and-spring-session-header-session-strategy/43363213

Thanks!