Cookie CsrfTokenRepository.withHttpOnlyFalse()的作用以及何时使用它? [英] What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
问题描述
我现在正在尝试学习Spring Security,并且我已经看到许多使用它的示例.我知道CSRF是什么,并且Spring Security默认启用它.我很好奇的是这种定制.
I am trying to learn Spring Security right now and I have seen many different examples using this. I know what CSRF is and that Spring Security enables it by default. The thing that I am curious about to know is this kind of customization.
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.authorizeRequests(request -> {
request
.antMatchers("/login").permitAll()
.anyRequest()
....more code
此行以及何时适合使用 .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())是什么样的自定义.如果有人可以提供简单的解释,我将不胜感激.
What kind of customization does .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) this line and when it is appropriate to use it.
I would appreciate it if anyone can come with a simple explanation.
推荐答案
CSRF代表跨站点请求伪造
它是一种与请求一起发送以防止攻击的令牌.为了使用Spring Security CSRF保护,我们首先需要确保对修改状态的任何内容使用正确的HTTP方法( PATCH , POST , PUT 和 DELETE –不是 GET ).
It is one kind of token that is sent with the request to prevent the attacks. In order to use the Spring Security CSRF protection, we'll first need to make sure we use the proper HTTP methods for anything that modifies the state (PATCH, POST, PUT, and DELETE – not GET).
使用Spring CookieCsrfTokenRepository进行CSRF保护的工作方式如下:
CSRF protection with Spring CookieCsrfTokenRepository works as follows:
- 客户端向服务器(春季启动后端)发出GET请求,例如请求主页
- Spring发送 GET 请求的响应以及
Set-cookie标头,其中包含安全生成的XSRF令牌 - 浏览器使用XSRF令牌设置cookie
- 在发送状态更改请求(例如POST)时,客户端(可能是有角度的)会将cookie值复制到HTTP请求标头中
- 发送的请求同时包含标头和cookie(浏览器会自动附加cookie)
- Spring比较标头和cookie值,如果相同,则接受请求,否则,将403返回给客户端
- The client makes a GET request to Server (Spring Boot Backend), e.g. request for the main page
- Spring sends the response for GET request along with
Set-cookieheader which contains securely generated XSRF Token - The browser sets the cookie with XSRF Token
- While sending a state-changing request (e.g. POST) the client (might be angular) copies the cookie value to the HTTP request header
- The request is sent with both header and cookie (browser attaches the cookie automatically)
- Spring compares the header and the cookie values, if they are the same the request is accepted, otherwise, 403 is returned to the client
方法 withHttpOnlyFalse 允许angular读取XSRF cookie.确保Angular发出的XHR请求的 withCreddentials 标志设置为true.
The method withHttpOnlyFalse allows angular to read XSRF cookie. Make sure that Angular makes XHR request with withCreddentials flag set to true.
代码
@Override
public CsrfToken generateToken(HttpServletRequest request) {
return new DefaultCsrfToken(this.headerName, this.parameterName,
createNewToken());
}
@Override
public void saveToken(CsrfToken token, HttpServletRequest request,
HttpServletResponse response) {
String tokenValue = token == null ? "" : token.getToken();
Cookie cookie = new Cookie(this.cookieName, tokenValue);
cookie.setSecure(request.isSecure());
if (this.cookiePath != null && !this.cookiePath.isEmpty()) {
cookie.setPath(this.cookiePath);
} else {
cookie.setPath(this.getRequestContext(request));
}
if (token == null) {
cookie.setMaxAge(0);
}
else {
cookie.setMaxAge(-1);
}
cookie.setHttpOnly(cookieHttpOnly);
if (this.cookieDomain != null && !this.cookieDomain.isEmpty()) {
cookie.setDomain(this.cookieDomain);
}
response.addCookie(cookie);
}
@Override
public CsrfToken loadToken(HttpServletRequest request) {
Cookie cookie = WebUtils.getCookie(request, this.cookieName);
if (cookie == null) {
return null;
}
String token = cookie.getValue();
if (!StringUtils.hasLength(token)) {
return null;
}
return new DefaultCsrfToken(this.headerName, this.parameterName, token);
}
public static CookieCsrfTokenRepository withHttpOnlyFalse() {
CookieCsrfTokenRepository result = new CookieCsrfTokenRepository();
result.setCookieHttpOnly(false);
return result;
}
您可以探索方法 查看全文
