Include the CSRF Token in Spring Security | Code Factory

Form Submissions

To implement spring security you must include the CSRF token in all PATCH, POST, PUT, and DELETE methods. One way to approach this is to use the _csrf request attribute to obtain the current CsrfToken. An example of doing this with a JSP is shown below:

<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>

</form>


*Note : If you are using Spring MVC <form:form> tag or Thymeleaf 2.1+ and are using @EnableWebSecurity, the CsrfToken is automatically included for you (using the CsrfRequestDataValueProcessor).


Ajax and JSON Requests

 If you are using JSON, then it is not possible to submit the CSRF token within an HTTP parameter. Instead you can submit the token within a HTTP header. A typical pattern would be to include the CSRF token within your meta tags. An example with a JSP is shown below:


 <html>
<head>
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
</head>
You can then include the token within all your Ajax requests. If you were using jQuery, this could be done with the following:


$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});


CookieCsrfTokenRepository

 There can be cases where users will want to persist the CsrfToken in a cookie. By default the CookieCsrfTokenRepository will write to a cookie named XSRF-TOKEN and read it from a header named X-XSRF-TOKEN or the HTTP parameter _csrf.


You can configure CookieCsrfTokenRepository in XML using the following:

 <http>
<!-- ... -->
<csrf token-repository-ref="tokenRepository"/>
</http>
<b:bean id="tokenRepository"
class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"
p:cookieHttpOnly="false"/>





You can configure CookieCsrfTokenRepository in Java Configuration using:



@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}

Tags:
Cross Site Request Forgery (CSRF) - Spring
Guide to CSRF Protection in Spring Security
Spring Security CSRF Token
CSRF Token Implementation in Spring
How to Implement CSRF Token in java


Comments

Post a Comment

Popular posts from this blog

How to get IP address and MAC address of client in java | #CodeFactory

- Java access to the client IP address and MAC address -  In JSP, method to obtain the client's IP address is: request.getRemoteAddr (), this method is effective in most cases. -  After the agent, because between the client and the service increased intermediate layer, so the server can not be directly to the IP client, server application is not directly by forwarding the requested address is returned to the client. -  But in the HTTP header information request, increase the XFORWARDEDFOR information. To track the original client IP address and the original client requests the server address. -  When we visit index.jsp/, In fact, we are not true to the browser to access the index.jsp file on the server, But the proxy server to access the index.jsp , The proxy server will access to the results returned to the browser, Because it is a proxy server to access the index.jsp, So the index.jsp through the request.getRemoteAddr () method to obtain the IP is actually the...
Read more

At Least One Checkbox Is Checked From All CheckBox Group | #CodeFactory

Image
File : checkBox.jsp checkbox checkbox Check Box 1 Male Female Check Box 2 ck1 ck2 Check Box 3 ck3 ck4 Tags : Check if checkbox is checked with jQuery validation for multiple checkboxes Checkbox validation - at least one selected  Require at least one checkbox be checked Submit form only if at least one checkbox is checked Multiple Checkboxes at least 1 required check atleast one checkbox is checked on form submission Validating that at least one checkbox is checked. Only submit if at least one checkbox is checked (dynamically) Validations for atleast one checkbox checked in javascript
Read more

FTP Connection In Installed Alfresco | Code Factory

Image
Note  :  First check that PC is able to create FTP connection... Step 1 : Stop alfresco. Step 2 : Add these properties in < alfresco> -> tomcat -> shared -> classes -> alfresco-global.properties ftp.enabled=true ftp.port=2121 Step 3 : Start alfresco. Step 4 : Check FTP connection is successfully created or not using URL. ftp:// :2121/alfresco Tags : Alfresco Tutorial Configuring the FTP file server How To Enable FTP On Alfresco? Transfer and Get File Using FTP
Read more