如何配置Spring Security发送"X-CSRF-TOKEN"? [英] How to configure Spring Security to send 'X-CSRF-TOKEN'?

问题描述

问题是要让CSRF令牌在Spring Security和Angular之间工作.

The problem is to get the CSRF tokens working between Spring Security and Angular.

用于Angular的Spring Security CSRF令牌拦截器似乎应该完成该工作，但服务器的HEAD响应中没有"X-CSRF-TOKEN".

Spring Security CSRF Token Interceptor for Angular seems like something that should do the job, but there is no 'X-CSRF-TOKEN' in the HEAD response from the server.

我当前的微小实现可在 GitHub (标记v.1.0)中找到如果知道该主题的人对代码有快速的了解，将不胜感激，这个问题应该很容易发现.

My current tiny implementation is available in GitHub (Tag v.1.0) and I would appreciate a lot if somebody who knows the topic would have a quick look on the code, the problem should be easy to spot.

基于文档，我的印象是应该自动启用CSRF，但事实并非如此.

Based on the documentation, I am under the impression that CSRF should have been enabled automatically, but that seems not to be the case.

我正在使用Spring Boot，并且如果需要以其他方式配置某些东西，则我希望使用基于注释的配置，而不是XML.

I am using Spring Boot and prefer the annotation-based configuration over XML, if something needs to be configured differently.

还有其他方法可以使Spring Security对抗Angular吗?

Any other approaches to make Spring Security work against Angular?

推荐答案

Angular会寻找一个名为"XSRF-TOKEN"的cookie，因此对客户端而言，最简单的方法就是发送该cookie.您可以在Filter中进行操作(例如，来自

Angular looks for a cookie called "XSRF-TOKEN" I believe, so the easiest thing to do for the client is to send that. You can do it in a Filter for instance (example from https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/single/src/main/java/demo/UiApplication.java#L65):

    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                    HttpServletResponse response, FilterChain filterChain)
                    throws ServletException, IOException {
                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
                        .getName());
                if (csrf != null) {
                    Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken());
                    cookie.setPath("/");
                    response.addCookie(cookie);
                }
                filterChain.doFilter(request, response);
            }
        };
    }

更新:自Spring Security 4.2起，如果您使用cookie csrf存储库，则默认使用angular的正确cookie名称(该链接仍然是最佳来源)，即不再需要自定义过滤器.示例:

Update: since spring security 4.2 the correct cookie name for angular is used by default if you use the cookie csrf repository(the link is still the best source), i.e. there is no longer any need for a custom filter. Example:

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                ...
                .and()
            .csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

这篇关于如何配置Spring Security发送"X-CSRF-TOKEN"?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！