堆栈内存溢出
  简体   繁体   English

CSRF 保护与 Angular + Spring 引导 + REST + Z1D1FADBD9150349C135781140FFFEE

[英]CSRF protection with Angular + Spring Boot + REST + JWT

 原文  2022-08-08 09:52:21       angular/ rest/ spring-security/ jwt/ csrf

问题描述

I am working with an Angular + Spring Boot application and I use JWT for authorization (token stored in an http only cookie), the backend is fully developed with REST services. I am working with an Angular + Spring Boot application and I use JWT for authorization (token stored in an http only cookie), the backend is fully developed with REST services. Now I am trying to use CSRF protection with Spring Security but I don't understand how it works.现在我正在尝试将 CSRF 保护与 Spring Security 一起使用,但我不明白它是如何工作的。 A new XSRF-TOKEN is always generated for each request, but even if you change it manually or delete it, subsequent requests are always successful.每次请求总是会生成一个新的 XSRF-TOKEN,但是即使你手动更改或删除它,后续的请求也总是成功的。

This is my code snippet regarding CSRF (ie what is written on all the guides):这是我关于 CSRF 的代码片段(即所有指南上写的内容):

http = http.cors().and().csrf().csrfTokenRepository(this.getCsrfTokenRepository());

... ...

private CsrfTokenRepository getCsrfTokenRepository() {
    CookieCsrfTokenRepository tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
    tokenRepository.setCookiePath("/");
    return tokenRepository;
}

Where am I doing wrong?我在哪里做错了?

1 个解决方案

解决方案1
 1 已采纳  2022-08-08 10:35:17

You are not doing anything wrong.你没有做错任何事。 When you configure CookieCsrfTokenRepository with withHttpOnlyFalse , it means you use double submit cookie approach for CSRF validation rather than typical synchronizer pattern.当您使用withHttpOnlyFalse配置CookieCsrfTokenRepository时,这意味着您使用双重提交 cookie 方法进行 CSRF 验证,而不是典型的同步器模式。

In synchronizer pattern, incoming token is matched with the one stored in session.在同步器模式中,传入的令牌与存储在 session 中的令牌匹配。 While with CookieCsrfTokenRepository , it is checked if there is cookie named CSRF_TOKEN and a header name X_XSRF_TOKEN and if their values match .在使用CookieCsrfTokenRepository时,会检查是否存在名为 CSRF_TOKEN 的 cookie 和名为 X_XSRF_TOKEN 的 header 以及它们的值是否匹配 Please note cookie name and header name may not be exact, but the point here is there is no specific value in session to be matched against.请注意 cookie 名称和 header 名称可能不准确,但这里的重点是 session 中没有要匹配的特定值。

It means if I send a token with value A or cookie with value A (A is different than the one stored in cookie sent by Spring security), request will pass because it only checks if header and cookie value are same, not the one it generated.这意味着如果我发送值为 A 的令牌或值为 A 的 cookie(A 与存储在 Spring 安全性发送的 cookie 中的不同),请求将通过,因为它只检查 header 和 cookie 值是否相同,而不是它生成。

This is not a security flaw.不是安全漏洞。 This is how double submit cookie approach works.就是双重提交 cookie 方法的工作原理。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用带有JWT的Symfony 3 API REST和Angular webapp的CSRF令牌保护是否有用? - Is it useful to use CSRF token protection for Symfony 3 API REST and Angular webapp with JWT? Spring Boot + Angular 2 + JWT - Spring Boot + Angular 2 + JWT Spring Boot JWT CORS 与 Angular 6 - Spring Boot JWT CORS with Angular 6 Angular 与 REST 在 Spring 启动 - Angular with REST in Spring BOOT spring 启动 angular csrf 令牌握手错误 - spring boot angular csrf token handshake error 在 Spring Boot 和 Angular 之间处理 CORS 和 CSRF - Handling CORS and CSRF between Spring Boot and Angular Angular2和Laravel CSRF保护 - Angular2 and Laravel CSRF protection 安全性:Java Spring Boot + Angular 2 + JWT - Securirty: Java Spring Boot + Angular 2 + JWT Spring 启动 JWT Cors 不使用 Angular 8 - Spring Boot JWT Cors Not Working with Angular 8 Angular + Spring boot Jwt 刷新令牌功能 - Angular + Spring boot Jwt refresh token feature
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM