Spring Security CSRF令牌存储库cookie是否会自动处理所有Ajax请求？ [英] Will Spring Security CSRF Token Repository Cookies Work for all Ajax Requests Automatically?

问题描述

我正在经历以下安全教程，它会配置 CsrfTokenRepository ，例如：

I'm going through the following security tutorial and it configures a CsrfTokenRepository like this:

.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

要使Ajax请求在所有库中都能正常工作，这是否是必需的？ $ http 的Angular文档说，Angular读取Spring提供的CSRF cookie并在发出请求时设置相应的标头。所以我假设这样做是因为发送Ajax请求时不会自动包含cookie？

Is that all that is required to get Ajax requests working across all libraries? The Angular documentation for $http says that Angular reads the CSRF cookie that Spring provides and sets a corresponding a header when it makes requests. So I'm assuming it does this because the cookie will not automatically be included when sending Ajax requests?

我再次阅读了该文章，并说CSRF保护由标头提供。因此，如果我以正确的方式解释了这一事实，那就是客户端以一种独特的方式发送回cookie值，该值不同于最初提供CSRF保护的发送者。换句话说，客户端接收cookie并更改发送回cookie的方式，以便服务器知道客户端确实在控制cookie？

I read the article again and it says that the CSRF protection is provided by the header. So if I interpret that the right way it's the fact that the client is sending back the cookie value in a unique way that is different than it was sent in the first place that provides the CSRF protection. In other words the client receives the cookie and changes the way it is sent back, so that the server knows that the client is indeed in control of the cookie?

推荐答案

使用Spring CookieCsrfTokenRepository进行CSRF保护的工作原理如下：

CSRF protection with Spring CookieCsrfTokenRepository works as follows:

1. 客户端向服务器（春季后端）发出GET请求，例如主页请求


2. Spring发送GET请求的响应以及包含安全生成的XSRF令牌的Set-cookie标头


3. 浏览器设置cookie使用XSRF令牌


4. 在发送状态更改请求（例如POST）时，客户端（Angular）将cookie值复制到HTTP请求标头中


5. 该请求与标头和cookie一起发送（浏览器自动附加cookie）


6. Spring比较标头和cookie的值，如果它们相同，则接受请求，否则返回403客户端

1. Client makes a GET request to Server (Spring backend), e.g. request for the main page
2. Spring sends the response for GET request along with Set-cookie header which contains securely generated XSRF Token
3. Browser sets the cookie with XSRF Token
4. While sending state changing request (e.g. POST) the client (Angular) copies the cookie value to the HTTP request header
5. The request is sent with both header and cookie (browser attaches the cookie automaticaly)
6. Spring compares the header and the cookie values, if they are the same the request is accepted, otherwise 403 is returned to the client

请注意，默认情况下，只有状态更改请求（POST，PUT，DELETE）受CSRF保护，并且只有在以下情况下才需要保护这些请求API的设计正确（即GET请求没有副作用，例如，修改了应用的状态）。

Note that only state changing requests (POST, PUT, DELETE) are CSRF protected by default and only these need to be protected when API is properly designed (i.e. GET requests don't have side effects and modify the state of the app for example).

方法 withHttpOnlyFalse 允许angular读取XSRF cookie。确保Angular在XHR请求中将 withCreddentials 标志设置为true。

The method withHttpOnlyFalse allows angular to read XSRF cookie. Make sure that Angular makes XHR request with withCreddentials flag set to true.

这篇关于Spring Security CSRF令牌存储库cookie是否会自动处理所有Ajax请求？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！