Many examples on the internet just say to call http.csrf().disable(), but this ends up disabling all authentication (causes the AuthenticationPrincipal to always be null).
Here is how to disable CSRF protection for a REST service when using Spring Boot without disabling all authentication.
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and().oauth2Login()
.and().csrf().disable();
}
}