How to configure Spring Security to send 'X-CSRF-TOKEN'?

前端 未结 2 964
天涯浪人
天涯浪人 2021-02-05 17:24

The problem is to get the CSRF tokens working between Spring Security and Angular.

Spring Security CSRF Token Interceptor for Angular seems like something that should do

相关标签:
2条回答
  • 2021-02-05 18:04

    I am answering the question myself as there was a hidden one in the original GitHub repository: Issue #1.

    The solution was to add a couple of lines of Java code that adds the CSRF parameters as Http message headers.

    I added a working solution to the GitHub repo with Tag v.2.0.

    0 讨论(0)
  • 2021-02-05 18:23

    Angular looks for a cookie called "XSRF-TOKEN" I believe, so the easiest thing to do for the client is to send that. You can do it in a Filter for instance (example from https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/single/src/main/java/demo/UiApplication.java#L65):

        private Filter csrfHeaderFilter() {
            return new OncePerRequestFilter() {
                @Override
                protected void doFilterInternal(HttpServletRequest request,
                        HttpServletResponse response, FilterChain filterChain)
                        throws ServletException, IOException {
                    CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
                            .getName());
                    if (csrf != null) {
                        Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken());
                        cookie.setPath("/");
                        response.addCookie(cookie);
                    }
                    filterChain.doFilter(request, response);
                }
            };
        }
    

    Update: since spring security 4.2 the correct cookie name for angular is used by default if you use the cookie csrf repository(the link is still the best source), i.e. there is no longer any need for a custom filter. Example:

    @Configuration
    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    ...
                    .and()
                .csrf()
                    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    
    0 讨论(0)
提交回复
热议问题