spring security - Using AngularJS with SpringSecurity3.2 for CSRF -


angularjs

index.html

<head>     <meta name="_csrf" content="${_csrf.token}"/>     <!-- default header name x-csrf-token -->     <meta name="_csrf_header" content="${_csrf.headername}"/> </head> 

springsecurity 3.2

spring uses httpsessioncsrftokenrepository default gives header name csrf x-csrf-token, anuglar convention x-xsrf-token

i wanted extend httpsessioncsrftokenrepository , override header name, since marked final ended implementing custom token repository.

@component public class customcsrftokenrepository implements csrftokenrepository {    public static final string csrf_parameter_name = "_csrf";    public static final string csrf_header_name = "x-xsrf-token";    private final map<string, csrftoken> tokenrepository = new concurrenthashmap<>();    public customcsrftokenrepository() {     log.info("creating {}", customcsrftokenrepository.class.getsimplename());   }    @override   public csrftoken generatetoken(httpservletrequest request) {     return new defaultcsrftoken(csrf_header_name, csrf_parameter_name, createnewtoken());   }    @override   public void savetoken(csrftoken token, httpservletrequest request, httpservletresponse response) {     string key = getkey(request);     if (key == null)       return;      if (token == null) {       tokenrepository.remove(key);     } else {       tokenrepository.put(key, token);     }   }    @override   public csrftoken loadtoken(httpservletrequest request) {     string key = getkey(request);     return key == null ? null : tokenrepository.get(key);   }    private string getkey(httpservletrequest request) {     return request.getheader("authorization");   }    private string createnewtoken() {     return uuid.randomuuid().tostring();   } } 

securityconfig.java

@configuration @enablewebsecurity public class securityconfig extends websecurityconfigureradapter {      @inject     private customcsrftokenrepository customcsrftokenrepository;        @override         protected void configure(httpsecurity http) throws exception {              http     //          .addfilterafter(new csrftokengeneratorfilter(), csrffilter.class)                 .exceptionhandling()                     .authenticationentrypoint(authenticationentrypoint)                     .and()                 .formlogin()                     .loginprocessingurl("/app/authentication")                     .successhandler(ajaxauthenticationsuccesshandler)                     .failurehandler(ajaxauthenticationfailurehandler)                     .usernameparameter("j_username")                     .passwordparameter("j_password")                     .permitall()                     .and()                   .csrf()                     .csrftokenrepository(customcsrftokenrepository)                     .and()               }            } 
  1. how can cleanly override header name instead of creating custom csrftokenrepository?

  2. is there other configuration changes need single page applications such angularjs, not work yet.

when using java configuration spring security, following should possible:

  public void configure(final httpsecurity http) throws exception   {     final httpsessioncsrftokenrepository tokenrepository = new httpsessioncsrftokenrepository();     tokenrepository.setheadername("x-xsrf-token");      http.csrf().csrftokenrepository(tokenrepository);   } 

the complication single-page applications rely on ajax , including csrf tokens ajax requests bit complicated. when using angularjs, server should send session cookie called xsrf-token upon first request , whenever user logs in or logs out. angularjs return value of cookie in http header x-xsrf-token requests, server can check.


Comments

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

openid - Okta: Failed to get authorization code through API call -

ios - Change Storyboard View using Seague -