stackoom
  简体   繁体   中英

Spring Security denies logout CSRF token

 原文  2015-06-10 12:32:26       java/ angularjs/ spring/ spring-mvc/ spring-security

Question

I'm trying to implement an Angular app using this tutorial: https://spring.io/guides/tutorials/spring-security-and-angular-js/

Logging in works and performing subsequent HTTP calls works, too. Angular successfully appends the CSRF token and Spring successfully parses it. Assuming the token is foo , the requests will contain these headers:

Cookie: JSESSIONID=...; XSRF-TOKEN=foo JSESSIONID=...; XSRF-TOKEN=foo

X-XSRF-TOKEN: foo

Now, when trying to log out with $http.post('logout', {}) , Angular will use exactly the same headers. However, Spring answers with a 403:

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.

This is what my security configuration looks like: 

protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic().and()
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .anyRequest().authenticated().and()
        .logout().and()
        .addFilterBefore(new CsrfHeaderFilter(), CsrfFilter.class);
}

CsrfHeaderFilter is the class explained in the tutorial (which apparently works for every other request).

1 answers

solution1
 0  2015-08-05 10:29:37

I realize it's 2 months late, but I was following the exact same guide today and this unanswered post keeps on popping up so here's the solution.

Basically, you were missing the csrfTokenRepository() configuration in the HttpSecurity configurer.

Spring CsrfTokenRepository expects the header "X-CSRF-TOKEN" but Angular sends the token in a header called "X-XSRF-TOKEN" so the guide recommended you setup an instance of CsrfTokenRepository which expects the Angular default header "X-XSRF-TOKEN" : 

protected void configure(HttpSecurity http) throws Exception {
    http
        .httpBasic().and()
        .authorizeRequests()
        .antMatchers("/").permitAll()
        .anyRequest().authenticated().and()
        .logout()
        .and()
        //This is the first part you were missing
        .csrf()
            .csrfTokenRepository(csrfTokenRepository())
        .and()
            .addFilterBefore(new CsrfHeaderFilter(), CsrfFilter.class);
}


@Bean
public CsrfTokenRepository csrfTokenRepository(){
    HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();

    // This is the second part you were missing
    repository.setHeaderName("X-XSRF-TOKEN");
    return repository;
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security not creating CSRF token Spring security: activating csrf disables /logout Spring Security CSRF: How to retrieve token in Java Different csrf token per request in Spring security Spring Security CSRF Token not working with AJAX Expected CSRF token not found Spring Security Spring Security 4 JTwig put CSRF token in forms Spring security csrf disabled, still get an Invalid CSRF token found Spring CSRF override “POST” logout behaviour in security XML config 403 CSRF token error using Vaadin with Spring Security
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM