使用 Spring Security 的 CSRF 保护

Question

Is there a way to implement only CSRF protection using spring security without using rest of the features like authentication and authorization ?

I tried the following configuration but it turns off all the features of spring-security. Wanted to see if there is a way to configure to leave the csrf features ON.

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

    <http auto-config="true" security="none"/>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user" password="Password1" authorities="ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

Answer 1

As you already noticed security="none" allows you to specify a subset of urls for which Spring Security is to be disabled completely, as in :

<http pattern="/css/**" security="none"/>
<http pattern="/login.jsp*" security="none"/>

If you wish to keep Spring Security for a url, but want to disable authentication etc., use access="permitAll" instead:

<http>
    <intercept-url pattern="/**" access="permitAll"/>
</http>

I see that you are using Spring Security 4, so csrf protection will be enabled by default. If you were using Spring Security 3, you would need to enable it yourself, as in:

<http>
    <intercept-url pattern="/**" access="permitAll"/>
    <csrf/>
</http>

EDIT I have updated my answer. It has been a while since I used xml config. Maybe you should consider using Java config as well?

Answer 2

I also had the same requirement as you , and I was able to achieve it by minimal configurations in

<authentication-manager />
<http create-session="never" use-expressions="true">
    <csrf />
    <http-basic />
</http>

Here the < authentication-manager /> declares that the spring security doesn't expect an authentication/authorization mechanism, and assumes that all requests are already authenticated.

After this add the Spring Security Filter on your file. This ensures that all requests first pass through spring security mechanism before being handled by the application controller.

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Then in your JSPs (preferably the Header JSP), include the Spring Security's Taglib to access and store the CSRF tokens in the meta tag.

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags"%>

<sec:csrfMetaTags />

<script type="text/javascript">
    var csrfHeader = $("meta[name='_csrf_header']").attr("content");
    var csrfToken = $("meta[name='_csrf']").attr("content");
</script>

After this include the CSRF Tokens in all your Ajax calls. If not included, you will get the 403 - Access Denied Error.

For Example, if you are using jQuery for doing ajax calls, then you can configure it globally to include the CSRF tokens in the Request Header.

$(document).ajaxSend(function(e, xhr, options) {
    xhr.setRequestHeader(csrfHeader, csrfToken);
});

JAR files required for this to work are:

    spring-security-acl-5.0.7.RELEASE.jar
    spring-security-config-5.0.7.RELEASE.jar
    spring-security-core-5.0.7.RELEASE.jar
    spring-security-taglibs-5.0.7.RELEASE.jar
    spring-security-web-5.0.7.RELEASE.jar