Cookie CsrfTokenRepository.withHttpOnlyFalse() 有什么作用以及何时使用它? [英] What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
问题描述
我现在正在尝试学习 Spring Security,并且我已经看到许多使用它的不同示例.我知道 CSRF 是什么,并且 Spring Security 默认启用它.我很想知道的是这种定制.
I am trying to learn Spring Security right now and I have seen many different examples using this. I know what CSRF is and that Spring Security enables it by default. The thing that I am curious about to know is this kind of customization.
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeRequests(request -> {
request
.antMatchers("/login").permitAll()
.anyRequest()
....more code
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())这一行做了什么样的定制,什么时候使用合适.如果有人能提供简单的解释,我将不胜感激.
What kind of customization does .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) this line and when it is appropriate to use it.
I would appreciate it if anyone can come with a simple explanation.
推荐答案
CSRF 代表 Cross Site Request Forgery
它是一种与请求一起发送以防止攻击的令牌.为了使用 Spring Security CSRF 保护,我们首先需要确保我们使用正确的 HTTP 方法来修改状态(PATCH、POST、PUT 和 DELETE - 不是 GET).
It is one kind of token that is sent with the request to prevent the attacks. In order to use the Spring Security CSRF protection, we'll first need to make sure we use the proper HTTP methods for anything that modifies the state (PATCH, POST, PUT, and DELETE – not GET).
使用 Spring CookieCsrfTokenRepository 的 CSRF 保护工作如下:
CSRF protection with Spring CookieCsrfTokenRepository works as follows:
- 客户端向服务器(Spring Boot 后端)发出 GET 请求,例如请求主页面
- Spring 发送对 GET 请求的响应以及包含安全生成的 XSRF 令牌的
Set-cookie标头 - 浏览器使用 XSRF Token 设置 cookie
- 在发送状态更改请求(例如 POST)时,客户端(可能是有角度的)将 cookie 值复制到 HTTP 请求标头
- 请求与标头和 cookie 一起发送(浏览器自动附加 cookie)
- Spring 比较 header 和 cookie 的值,如果相同则接受请求,否则返回 403 给客户端
- The client makes a GET request to Server (Spring Boot Backend), e.g. request for the main page
- Spring sends the response for GET request along with
Set-cookieheader which contains securely generated XSRF Token - The browser sets the cookie with XSRF Token
- While sending a state-changing request (e.g. POST) the client (might be angular) copies the cookie value to the HTTP request header
- The request is sent with both header and cookie (browser attaches the cookie automatically)
- Spring compares the header and the cookie values, if they are the same the request is accepted, otherwise, 403 is returned to the client
方法 withHttpOnlyFalse 允许 angular 读取 XSRF cookie.确保 Angular 在 withCreddentials 标志设置为 true 的情况下发出 XHR 请求.
The method withHttpOnlyFalse allows angular to read XSRF cookie. Make sure that Angular makes XHR request with withCreddentials flag set to true.
代码来自CookieCsrfTokenRepository
@Override
public CsrfToken generateToken(HttpServletRequest request) {
return new DefaultCsrfToken(this.headerName, this.parameterName,
createNewToken());
}
@Override
public void saveToken(CsrfToken token, HttpServletRequest request,
HttpServletResponse response) {
String tokenValue = token == null ? "" : token.getToken();
Cookie cookie = new Cookie(this.cookieName, tokenValue);
cookie.setSecure(request.isSecure());
if (this.cookiePath != null && !this.cookiePath.isEmpty()) {
cookie.setPath(this.cookiePath);
} else {
cookie.setPath(this.getRequestContext(request));
}
if (token == null) {
cookie.setMaxAge(0);
}
else {
cookie.setMaxAge(-1);
}
cookie.setHttpOnly(cookieHttpOnly);
if (this.cookieDomain != null && !this.cookieDomain.isEmpty()) {
cookie.setDomain(this.cookieDomain);
}
response.addCookie(cookie);
}
@Override
public CsrfToken loadToken(HttpServletRequest request) {
Cookie cookie = WebUtils.getCookie(request, this.cookieName);
if (cookie == null) {
return null;
}
String token = cookie.getValue();
if (!StringUtils.hasLength(token)) {
return null;
}
return new DefaultCsrfToken(this.headerName, this.parameterName, token);
}
public static CookieCsrfTokenRepository withHttpOnlyFalse() {
CookieCsrfTokenRepository result = new CookieCsrfTokenRepository();
result.setCookieHttpOnly(false);
return result;
}
您可以探索这些方法 这里
这篇关于Cookie CsrfTokenRepository.withHttpOnlyFalse() 有什么作用以及何时使用它?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
