CODEWITHSUNDEEP
springspring-securitycsrf
napstablook
napstablook

Reputation: 369

Spring not sending CSRF token on response

I'm having problems getting my Angular2 client to communicate with my Spring server since I added spring-security to it, namely when I try to send a JSON containing authentication information to the server login url I get a 403 "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'."

I understand that I should be passing a token on the header of my responses to be used by the client but this token isnt being passed. I tried this answer but the token is still not being passed. I'm also sending requests through postman, and the token isnt arriving either.

webSecurityConfig.xml:

    <http entry-point-ref="restAuthenticationEntryPoint">
      <intercept-url pattern="/api/**" access="hasRole('ROLE_USER')"/>

      <form-login
         authentication-success-handler-ref="mySuccessHandler"
         authentication-failure-handler-ref="myFailureHandler"
      />

      <logout />
   </http>

   <beans:bean id="mySuccessHandler"
      class="com.eficid.cloud.security.rest.AuthenticationSuccessHandler"/>
   <beans:bean id="myFailureHandler" class=
     "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>


      <authentication-manager>
        <authentication-provider>
          <user-service>
            <user name="temp" password="temp" authorities="ROLE_USER" />
          </user-service>
        </authentication-provider>
      </authentication-manager>

</beans:beans>

SpringSecurityConfiguration

@Configuration
@ImportResource({ "classpath:webSecurityConfig.xml" })
@ComponentScan("com.eficid.cloud.security.rest")
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    public SpringSecurityConfig() {
        super();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().and().authorizeRequests()
                .antMatchers("/spring-security-rest/login").permitAll().anyRequest()
                .authenticated().and().csrf()
                .csrfTokenRepository(csrfTokenRepository()).and()
                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
    }


    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                    HttpServletResponse response, FilterChain filterChain)
                    throws ServletException, IOException {
                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
                        .getName());
                if (csrf != null) {
                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
                    String token = csrf.getToken();
                    if (cookie == null || token != null
                            && !token.equals(cookie.getValue())) {
                        cookie = new Cookie("XSRF-TOKEN", token);
                        cookie.setPath("/");
                        response.addCookie(cookie);
                    }
                }
                filterChain.doFilter(request, response);
            }
        };
    }

    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }

}

Upvotes: 4

Views: 5116

Answers (1)

Jarek
Jarek

Reputation: 110

Possibly typo in:

private CsrfTokenRepository csrfTokenRepository() {
    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
    repository.setHeaderName("X-XSRF-TOKEN");
    return repository;
}

must be X-CSRF-TOKEN instead of X-XSRF-TOKEN. Suggest refactoring.

check this link: How to access Spring CSRF restful web service

Upvotes: 2

Related Questions