科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>session - CSRF management in Spring boot application with Vue js issue - Stack Overflow

    session - CSRF management in Spring boot application with Vue js issue - Stack Overflow

    programmeradmin4浏览0评论

    I'm working over my Spring boot app with Vue js frontend and I want to adjust CSRF tokens for POST request from my Vue js client. So, to set CSRF token for POST request I make pre GET request to http://localhost:8091/api/csrf/token to retrieve CSRF token. Here's my @RestController:

    @RestController
@RequestMapping("/api/csrf")
public class CsrfController {
    @GetMapping("/token")
    public CsrfToken getCsrfToken(CsrfToken csrfToken) {
        return csrfToken;
    }
}

    Once I retrieved this token, I create POST request ot login with axios and set headers 'X-CSRF-TOKEN': token, like this:

    async getCSRFToken() {
      await axios.get(`${BASE_URL}/csrf/token`).then((response) => {localStorage.setItem('csrfToken', response.data.token);});
      this.csrf = localStorage.getItem('csrfToken') ? localStorage.getItem('csrfToken') : '';
      return localStorage.getItem('csrfToken') !== '';

    The issue is that on a server side in Spring boot the token I sent with the POST request is different from that one that is obtained from CsrfTokenRepository in filter-chain and the request isn't accepted with filter-chain as Authenticated. As I noticed, my session id from the request, where I retrieve CSRF token, is different from that one in POST request for login. Also I found that the both request, sent from postman have the same sessionId, so there's no such issue with csrf not authenticated (I'm pretty shure the problem is in my frontend client). How can I make these CSRF tokens be the same or resolve the problem with sessions?

    My SpringSecurityConfiguration is:

    SecurityFilterChain filterChain(HttpSecurity http, AuthenticationManager authManager) throws Exception {
        http
                .cors(cors -> cors.configure(http))
                .csrf(httpSecurityCsrfConfigurer -> {
                    httpSecurityCsrfConfigurer.csrfTokenRepository(new HttpSessionCsrfTokenRepository());
                    httpSecurityCsrfConfigurer.csrfTokenRequestHandler( new CsrfTokenRequestAttributeHandler());
                })
                .authorizeHttpRequests(authorizeRequests -> {
                    authorizeRequests.requestMatchers("/api/**").permitAll();
                    authorizeRequests.requestMatchers("/api/auth/**").permitAll();
                    authorizeRequests.requestMatchers(HttpMethod.OPTIONS, "/**").permitAll();
                    authorizeRequests.anyRequest().authenticated();
                })
                .addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter.class);

        http.exceptionHandling(exception -> exception
                .authenticationEntryPoint(authenticationEntryPoint));
        return http.build();

    I tried to manage sessions with sessinoManagemrnt((session) -> session.sessionCreationPolicy(...)), where ... is all variants; I tried to change CsrfTokenRequesHandler; I tried to change CsrfTokenRepository

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论