Reputation: 241
Include CSRF token in requests in Vaadin
On Vaadin's site they state that:
All requests between the client and the server are included with a user session specific CSRF token
However, I'm unable to fetch this token programmatically. I tried System.out.println(VaadinRequest.getCurrent().getAttribute("_csrf"));
and
System.out.println(VaadinRequest.getCurrent().getHeader("X-CSRF-TOKEN"));
In order to somehow see if the request really contains this token. In both cases, the returned value is null.
In my SecurityConfig.java, I have disabled the CSRF token, as the Vaadin breaks if it is enabled. I assume that there may be some overlap going on.
I also do have SecurityVaadinConfig.java which is pretty default, as it looks like this:
@Configuration
@EnableWebSecurity
public class SecurityVaadinConfig extends VaadinWebSecurity {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((auth) -> auth
.requestMatchers(new AntPathRequestMatcher("/**")).permitAll());
super.configure(http);
setLoginView(http, LoginView.class);
}
@Override
protected void configure(WebSecurity web) throws Exception {
super.configure(web);
}
}
How can I ensure that this token is really passed in "all requests between the client and the server"?
Upvotes: 0
Views: 255
Answers (1)
Reputation: 241
OK. I found this issue from 2 years ago (https://github.com/vaadin/web-components/issues/201). The CSRF token is passed as a meta tag of page. I was able to retrieve, and ensure myself that CSRF is enabled, CSRF token through UI.getCurrent().getCsrfToken().
Upvotes: 1
Related Questions
- How to use java.net.URLConnection to fire and handle HTTP requests
- Customize Spring Security for trusted space
- Security configuration with Spring-boot
- How to send custom HTTP headers to an endpoint?
- Spring SAML 2.0 - Make endpoints with https
- Spring Security for URL with permitAll() and expired Auth Token