Angular 2 CSRF cookie not set in POST response header in Spring Security -
i have angular2 application works spring. backend (spring) runs on other port configured cors follow.
public globalcorsfilter() { super(); } @override public final void dofilter(final servletrequest req, final servletresponse res, final filterchain chain) throws ioexception, servletexception { final httpservletresponse response = (httpservletresponse) res; response.setheader("access-control-allow-origin", "http://localhost:4200"); // without header jquery.ajax calls returns 401 after successful login , ssessionid being succesfully stored. response.setheader("access-control-allow-credentials", "true"); response.setheader("access-control-allow-methods", "post, put, get, options, delete"); response.setheader("access-control-max-age", "3600"); response.setheader("access-control-allow-headers", "x-requested-with, authorization, origin, content-type, version"); response.setheader("access-control-expose-headers", "x-requested-with, authorization, origin, content-type"); final httpservletrequest request = (httpservletrequest) req; if (request.getmethod() != "options") { chain.dofilter(req, res); } else { // } } @override public void destroy() { } @override public void init(filterconfig filterconfig) throws servletexception { } } this code works fine guess because don't errors.
the problem occurs when try post something, works fine method. have csrf enabled in spring configuration , want keep way. '403' code when try post. cookiefilter class configuring csrf.
public class csrfcookiegeneratorfilter extends onceperrequestfilter { @override protected void dofilterinternal(httpservletrequest request, httpservletresponse response, filterchain filterchain) throws servletexception, ioexception { // spring put csrf token in session attribute "_csrf" csrftoken csrftoken = (csrftoken) request.getattribute("_csrf"); // send cookie if token has changed string actualtoken = request.getheader("x-csrf-token"); if (actualtoken == null || !actualtoken.equals(csrftoken.gettoken())) { // session cookie used angularjs cookiegenerator cookiegenerator = new cookiegenerator(); cookiegenerator.setcookiename("csrf-token"); cookiegenerator.setcookiehttponly(false); cookiegenerator.setcookiemaxage(-1); cookiegenerator.setcookiepath("/"); cookiegenerator.addcookie(response, csrftoken.gettoken()); } filterchain.dofilter(request, response); } and here spring configuration:
@override protected void configure(httpsecurity http) throws exception { http .addfilterbefore(new globalcorsfilter(), channelprocessingfilter.class) .addfilterafter(new csrfcookiegeneratorfilter(), csrffilter.class) .exceptionhandling() .authenticationentrypoint(authenticationentrypoint) .and() ......... i added line of code in angular 2:
{provide: xsrfstrategy, usevalue: new cookiexsrfstrategy('csrf-token', 'x-csrf-token')} i message in response:
invalid csrf token 'null' found on request parameter '_csrf' or header 'x-csrf-token'.
according angular2 documentation if use http method takes care of csrf default, not need add provider unless want have custom xsrfstrategy.
angular's http has built-in support client-side half of technique in xsrfstrategy. default cookiexsrfstrategy turned on automatically. before sending http request, cookiexsrfstrategy looks cookie called xsrf-token , sets header named x-xsrf-token value of cookie.
https://angular.io/docs/ts/latest/guide/security.html#!#http
but can see in link below need have special configuration in spring in order to allow javascript (i.e. angularjs) read it. in documentation named angularjs same angular 2+.
http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-cookie
Comments
Post a Comment