Enable CSRF protection by default

Fixes gh-11758

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/SpringBootWebSecurityConfiguration.java

@@ -23,7 +23,6 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplicat
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
 /**
@@ -45,12 +44,6 @@ public class SpringBootWebSecurityConfiguration {
 	@Order(SecurityProperties.BASIC_AUTH_ORDER)
 	static class DefaultConfigurerAdapter extends WebSecurityConfigurerAdapter {
 
-		@Override
-		protected void configure(HttpSecurity http) throws Exception {
-			super.configure(http);
-			http.csrf().disable();
-		}
-
 	}
 
 }

spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

@@ -3155,7 +3155,17 @@ NOTE: Before setting the `management.endpoints.web.exposure.include`, ensure tha
 exposed actuators do not contain sensitive information and/or are secured by placing them
 behind a firewall or by something like Spring Security.
 
+==== Cross Site Request Forgery Protection
 
+Since Spring Boot relies on Spring Security's defaults, CSRF protection is turned on by default.
+This means that the actuator endpoints that require a `POST` (shutdown and loggers endpoints), `PUT`
+or `DELETE` will get a 403 forbidden error when the default security configuration is in use.
+
+NOTE: We recommend disabling CSRF protection completely only if you are creating a service that
+is used by non-browser clients.
+
+Additional information about CSRF protection can be found in the {spring-security-reference}#csrf[Spring
+Security Reference Guide].
 
 [[boot-features-sql]]
 == Working with SQL Databases

spring-boot-samples/spring-boot-sample-actuator/src/test/java/sample/actuator/ShutdownSampleActuatorApplicationTests.java

@@ -25,8 +25,11 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
 import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.junit4.SpringRunner;
 
@@ -38,7 +41,9 @@ import static org.assertj.core.api.Assertions.assertThat;
  * @author Dave Syer
  */
 @RunWith(SpringRunner.class)
-@SpringBootTest(webEnvironment = WebEnvironment.RANDOM_PORT)
+@SpringBootTest(classes = { ShutdownSampleActuatorApplicationTests.SecurityConfiguration.class,
+		SampleActuatorApplication.class },
+		webEnvironment = WebEnvironment.RANDOM_PORT)
 public class ShutdownSampleActuatorApplicationTests {
 
 	@Autowired
@@ -72,4 +77,14 @@ public class ShutdownSampleActuatorApplicationTests {
 		return "password";
 	}
 
+	@Configuration
+	static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http.csrf().disable();
+		}
+
+	}
+
 }