[英]Protecting web application from CSRF attack using Spring Security
I am implementing CSRF protection in my web application. 我正在Web应用程序中实现CSRF保护。
I have used org.springframework.security.web.csrf.CookieCsrfTokenRepository
class to generate the X-XSRF token. 我已经使用org.springframework.security.web.csrf.CookieCsrfTokenRepository
类生成X-XSRF令牌。 This token is being sent as cookie in every request's response. 该令牌在每个请求的响应中均作为cookie发送。
UI component which is a single page application deployed on different server is read this cookie and read the X-XSRF token from cookie and set it as header in all subsequent requests. UI组件是部署在不同服务器上的单页应用程序,将读取此cookie并从cookie中读取X-XSRF令牌,并将其设置为所有后续请求中的标头。
Spring validates the received X-XSRF token and allow/deny the request. Spring验证收到的X-XSRF令牌并允许/拒绝请求。 This works fine. 这很好。
But their is a constraint this X-XSRF cookie has to be httpOnly
is false
so that client side JavaScript can read it. 但是,这是X-XSRF cookie必须为httpOnly
的约束,它是false
以便客户端JavaScript可以读取它。
We cannot read a cookie for which httpOnly
is true
. 我们无法读取httpOnly
为true
的cookie。
Is there any other alternative to protect web application CSRF in an web application where X-XSRF token cookie httpOnly
is true
. 在X-XSRF令牌cookie httpOnly
为true
的Web应用程序中,还有其他任何方法可以保护Web应用程序CSRF。
Using JavaScript method ( document.cookie
) I can not read the cookies for which httpOnly
attribute is set to true
, see: 使用JavaScript方法( document.cookie
),我无法读取httpOnly
属性设置为true
的cookie,请参阅:
I can not made the changes to make all the cookies as httpOnly
is false
in Websphere. 我无法进行更改以使所有cookie都因为在Websphere中httpOnly
为false
。
Or am I missing something where client side JavaScript can read the cookie which is httpOnly
is true
. 还是我错过了客户端JavaScript可以读取cookie的内容,而该cookie是httpOnly
是true
。
See Spring Security Reference : 参见Spring Security Reference :
CookieCsrfTokenRepository CookieCsrfTokenRepository
There can be cases where users will want to persist the
CsrfToken
in a cookie. 在某些情况下,用户可能希望将CsrfToken
在cookie中。 By default theCookieCsrfTokenRepository
will write to a cookie namedXSRF-TOKEN
and read it from a header namedX-XSRF-TOKEN
or the HTTP parameter_csrf
. 默认情况下,CookieCsrfTokenRepository
将写入名为XSRF-TOKEN
的cookie,并从名为X-XSRF-TOKEN
的标头或HTTP参数_csrf
读取它。 These defaults come from AngularJS 这些默认值来自AngularJSYou can configure
CookieCsrfTokenRepository
in XML using the following: 您可以使用以下CookieCsrfTokenRepository
以XML配置CookieCsrfTokenRepository
:<http> <!-- ... --> <csrf token-repository-ref="tokenRepository"/> </http> <b:bean id="tokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository" p:cookieHttpOnly="false"/>
The sample explicitly sets
cookieHttpOnly=false
. 该示例显式设置cookieHttpOnly=false
。 This is necessary to allow JavaScript (ie AngularJS) to read it. 这是允许JavaScript(即AngularJS)读取它所必需的。 If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omitcookieHttpOnly=false
to improve security. 如果不需要直接使用JavaScript读取cookie的功能,建议省略cookieHttpOnly=false
以提高安全性。You can configure
CookieCsrfTokenRepository
in Java Configuration using: 您可以使用以下CookieCsrfTokenRepository
在Java配置中配置CookieCsrfTokenRepository
:@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
The sample explicitly sets
cookieHttpOnly=false
. 该示例显式设置cookieHttpOnly=false
。 This is necessary to allow JavaScript (ie AngularJS) to read it. 这是允许JavaScript(即AngularJS)读取它所必需的。 If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omitcookieHttpOnly=false
(by using newCookieCsrfTokenRepository()
instead) to improve security. 如果您不需要直接使用JavaScript读取cookie的功能,建议省略cookieHttpOnly=false
(通过使用新的CookieCsrfTokenRepository()
代替)以提高安全性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.