Spring Security +基于Angular App REST令牌的身份验证= 403在POST上被禁止

Question

I have an app which has Angular component on frontend and Java on backend. I am using Token based Authentication to provide security. But I am headed to an issue that when I make a POST request, I get 403-Forbidden status code. All the GET request works fine. I checked all my implementation on the Java side and seems fine. I checked out other solutions from StackOverFlow.com and other forums and they have advised to disabled the CSRF. Even though I implemented that, I am still getting 403. Has anyone have any idea about it? Thanks in advance and here is my code.

This is my security.xml

<security:http 
        realm="Portected API" 
        use-expressions="true" 
        auto-config="false" 
        create-session="stateless"
        entry-point-ref="unauthorzedEntiryPoint"
        authentication-manager-ref="authenticationManager">
        <security:csrf disabled="true"/>
        <security:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER"/>
        <security:intercept-url pattern="/foo" method="POST" access="hasAnyRole('USER', 'ADMIN')"/>
        <security:intercept-url pattern="/bar" method="POST" access="hasAnyRole('USER', 'ADMIN')"/>
    </security:http>

As you can see, I have disabled the CSRF on line 8 in the code. And here is my other remaining parts of XML.

<security:global-method-security secured-annotations="enabled"/>

<security:authentication-manager id="authenticationManager">
    <security:authentication-provider user-service-ref="userDetailService">
            </security:authentication-provider>
</security:authentication-manager>


<beans:bean id="unauthorzedEntiryPoint" class="org.sec.config.security.UnauthorizedEntryPoint"/>

<beans:bean id="authenticationTokenProcessingFilter" class="org.sec.config.security.AuthenticationTokenProcessingFilter">
    <constructor-arg ref="userDetailService"/>
</beans:bean>

<beans:bean id="userDetailService" class="org.sec.config.security.UserDetailService"/>

<beans:bean name="bcryptEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

In my Angular side, I am calling the resource like this:

Restangular.all('bar').post(barModel, {}, {'Sec-Token': $localStorage.userToken})
      .then(function (response) {
        deferred.resolve(response);
        vm.currentBlog = response;
        //rest of the code.
}

Answer 1

1) Add a filter class as shown below

public class CsrfHeaderFilter extends OncePerRequestFilter {
 @Override
protected void doFilterInternal(HttpServletRequest request,
  HttpServletResponse response, FilterChain filterChain)
  throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
    .getName());
if (csrf != null) {
  Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
  String token = csrf.getToken();
  if (cookie==null || token!=null && !token.equals(cookie.getValue())) {
    cookie = new Cookie("XSRF-TOKEN", token);
    cookie.setPath("/");
    response.addCookie(cookie);
  }
}
filterChain.doFilter(request, response);
}
}

2) Update the security config class to include the above filter as shown below

  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.context.annotation.Configuration;
  import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  import org.springframework.security.web.csrf.CsrfFilter;
  import org.springframework.security.web.csrf.CsrfTokenRepository;
  import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;

  @Configuration
  @EnableWebSecurity
  public class SecurityConfig extends WebSecurityConfigurerAdapter{



  protected void configure(HttpSecurity http) throws Exception {
    http
    .httpBasic().and()
    .authorizeRequests()
      .antMatchers("/login", "/login?logout" ).permitAll().anyRequest()
      .authenticated().and()
    .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf().csrfTokenRepository(csrfTokenRepository());
 }

private CsrfTokenRepository csrfTokenRepository() {
      HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
      repository.setHeaderName("X-XSRF-TOKEN");
      return repository;
    }

}

3) Now there is no need to include any additional header on the Restangular post call, sample code is shown below.

$Restangular.all('/addData').customPOST(
                     {amount:$scope.newExpense.amount, reason:$scope.newExpense.reason,dateStr:''+$scope.newExpense.date  },
                    '',
                    {},
                    {
                        'ContentType':'application/x-www-form-urlencoded'
                    }
                ).then(function() {

Source : https://spring.io/blog/2015/01/12/the-login-page-angular-js-and-spring-security-part-ii