Introduce CSRF. Add /run routing

k8s/deployment.yml

@@ -29,3 +29,5 @@ spec:
               value: http://portal-keycloak/realms/Portal
             - name: ROUTE_DEFAULT
               value: http://welcome-svc
+            - name: ROUTE_RUN
+              value: http://run-input-processing-svc

src/main/java/com/insilicosoft/portal/edgesvr/config/SecurityConfig.java

@@ -1,10 +1,16 @@
 package com.insilicosoft.portal.edgesvr.config;
 
+import reactor.core.publisher.Mono;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
+import org.springframework.security.web.server.csrf.CsrfToken;
+import org.springframework.security.web.server.csrf.XorServerCsrfTokenRequestAttributeHandler;
+import org.springframework.web.server.WebFilter;
 
 @Configuration
 public class SecurityConfig {
@@ -13,8 +19,23 @@ public class SecurityConfig {
   SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) {
     return http.authorizeExchange(exchange -> exchange.pathMatchers("/", "/css/*", "/js/*", "/icon/*", "/img/*").permitAll()
                                                       .anyExchange().authenticated())
+                                 .csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
+                                                   .csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler()::handle))
                                  .oauth2Login(Customizer.withDefaults())
                                  .build();
     }
 
-}
+  @Bean
+  WebFilter csrfWebFilter() {
+    // Required because of https://github.com/spring-projects/spring-security/issues/5766
+    return (exchange, chain) -> {
+      exchange.getResponse()
+              .beforeCommit(() -> Mono.defer(() -> {
+                                                     Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());
+                                                     return csrfToken != null ? csrfToken.then() : Mono.empty();
+                                                   }));
+      return chain.filter(exchange);
+    };
+  }
+
+}

src/main/resources/application.yml

@@ -21,6 +21,12 @@ spring:
             - Method=GET
             - Path=/test/token
           uri: ${ROUTE_DEFAULT:http://localhost:9001}/
+        - id: 1-run
+          order: 1
+          predicates:
+            - Method=GET,POST
+            - Path=/run
+          uri: ${ROUTE_RUN:http://localhost:9002}/
         - id: 100-default
           order: 100
           predicates: