CODEWITHSUNDEEP
sessionspring-securityaxiosvuejs3csrf
user29675544
user29675544

Reputation: 1

CSRF management in Spring boot application with Vue js issue

I'm working over my Spring boot app with Vue js frontend and I want to adjust CSRF tokens for POST request from my Vue js client. So, to set CSRF token for POST request I make pre GET request to http://localhost:8091/api/csrf/token to retrieve CSRF token. Here's my @RestController:

@RestController
@RequestMapping("/api/csrf")
public class CsrfController {
    @GetMapping("/token")
    public CsrfToken getCsrfToken(CsrfToken csrfToken) {
        return csrfToken;
    }
}

Once I retrieved this token, I create POST request ot login with axios and set headers 'X-CSRF-TOKEN': token, like this:

async getCSRFToken() {
      await axios.get(`${BASE_URL}/csrf/token`).then((response) => {localStorage.setItem('csrfToken', response.data.token);});
      this.csrf = localStorage.getItem('csrfToken') ? localStorage.getItem('csrfToken') : '';
      return localStorage.getItem('csrfToken') !== '';

The issue is that on a server side in Spring boot the token I sent with the POST request is different from that one that is obtained from CsrfTokenRepository in filter-chain and the request isn't accepted with filter-chain as Authenticated. As I noticed, my session id from the request, where I retrieve CSRF token, is different from that one in POST request for login. Also I found that the both request, sent from postman have the same sessionId, so there's no such issue with csrf not authenticated (I'm pretty shure the problem is in my frontend client). How can I make these CSRF tokens be the same or resolve the problem with sessions?

My SpringSecurityConfiguration is:

SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authManager) throws Exception {
        http
                .cors(cors -> cors.configure(http))
                .csrf(httpSecurityCsrfConfigurer -> {
                    httpSecurityCsrfConfigurer.csrfTokenRepository(new HttpSessionCsrfTokenRepository());
                    httpSecurityCsrfConfigurer.csrfTokenRequestHandler( new CsrfTokenRequestAttributeHandler());
                })
                .authorizeHttpRequests(authorizeRequests -> {
                    authorizeRequests.requestMatchers("/api/**").permitAll();
                    authorizeRequests.requestMatchers("/api/auth/**").permitAll();
                    authorizeRequests.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll();
                    authorizeRequests.anyRequest().authenticated();
                })
                .addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class);

        http.exceptionHandling(exception -> exception
                .authenticationEntryPoint(authenticationEntryPoint));
        return http.build();

I tried to manage sessions with sessinoManagemrnt((session) -> session.sessionCreationPolicy(...)), where ... is all variants; I tried to change CsrfTokenRequesHandler; I tried to change CsrfTokenRepository

Upvotes: -1

Views: 30

Answers (0)

Related Questions