These are chat archives for spring-cloud/spring-cloud

Dec 2015
Dec 03 2015 21:44
Is it safe to say that if you have Spring Security loaded within Zuul and a Spring Boot UI service that the best way to handle CSRF Tokens is to fetch the token within the UI service is via headers and place within the UI services form? Is there some other Spring Cloud type mechanism?
Matt Reynolds
Dec 03 2015 21:45
I have a question on the config server for property overrides - the docs say "You can change the priority of all overrides in the client to be more like default values, allowing applications to supply their own values in environment variables or System properties, by setting the flag`" and then there's no flag name. I checked the raw adoc and don't see a flag there. I also checked the source file (and the client properties java) and don't see anything that would seem to match. Is there a flag for this or is the doc wrong? Thx
Dave Syer
Dec 03 2015 21:51
Clearly a bug in the docs
Raise an issue if you like
@ccit-spence syntax garbled
Not sure what you need to do there
Possibly answer depends a lot on whether you have server side rendering or not
Dec 03 2015 22:00
@dsyer Right now I am using standard Spring Security on the Zuul Gateway
I have a UI service that has a form
The UI service is a standard Spring MVC app
I need the csrf token from the gateway within the UI services form in order to POST the form

Currently using Groovy Templates for the view. If it was a standard none cloud Spring MVC app it would have a field like below:

input(type: 'hidden', name: "$_csrf.parameterName", value: "$_csrf.token") {}

Dec 03 2015 22:06
My guess is that within each UI service that has a form I need to replace "$_csrf.parameterName” and "$_csrf.token” with a call to the Header to get the token passed by Zuul
Matt Reynolds
Dec 03 2015 22:46
@dsyer ok so does overrideSystemProperties default true mean that system properties are overridden and allowOverride let you decide if overrideNone can be used? If it is, that then puts remote properties at the bottom of the list is that right? So if I set to false on the server, clients can't set to true and if I don't and the client does set overrideNone all properties from the config server are at the bottom of the list or just properties specified in ?
@dyser btw - once I get this figured out, I'll raise an issue and provide a pull request for updating the doc. (I noticed another minor issue with the overrides example too)