Angular 2 / Spring Security CSRF实施问题 [英] Angular 2/Spring Security CSRF implementation problems
问题描述
我正在尝试在Spring Boot API之上构建一个Angular 2页面。我已经配置了CORS(正确的我相信),但我被Spring Security的CSRF保护所阻止。
I'm trying to build an Angular 2 page on top of a Spring Boot API. I have configured CORS (correctly I believe), but I am getting blocked by Spring Security's CSRF protection.
据我所知,Angular 2自RC2起自动处理CSRF,我在RC4上。服务器正在发送一个XSRF令牌以响应来自客户端的POST,如下所示:
It is my understanding that Angular 2 handles CSRF automatically as of RC2, and I am on RC4. The server is sending an XSRF token in response to a POST from the Client as seen here:
我认为Angular 2没有拿起它?我知道CORS正在运行,因为当我将 .ignoringAntMatchers(/ urlhere /)放在 .csrf()的末尾进行测试时,请求已经完成,所以CORS没有阻止它。这是我对HttpSecurity的配置方法:
I assume that Angular 2 is not picking it up? I know that CORS is working because when I put .ignoringAntMatchers("/urlhere/") on the end of .csrf() to test, the request went through, so CORS is not blocking it. Here is my config method for HttpSecurity:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/auth/**", "/signup/**").permitAll()
.and()
.headers()
.and()
.exceptionHandling()
.and()
.cors()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
我在客户端的登录过程包含一个方法发送凭据,然后使用JWT令牌检索凭据。这两种方法如下:
My Login process on client side consists of a method that first sends credentials, then uses a JWT token to retrieve credentials. The two methods are as follows:
sendCredentials(model) {
let tokenUrl = 'http://localhost:8080/user/login';
let headers1 = new Headers({'Content-Type': 'application/json'});
return this.http.post(tokenUrl, JSON.stringify(model), {headers: headers1});
}
sendToken(token){
let userUrl = 'http://localhost:8080/rest/user/users';
let headers2 = new Headers({'Authorization': 'Bearer '+token});
return this.http.get(userUrl, {headers:headers2});
}
为了满足CSRF保护的要求,我缺少什么?是客户端吗?或者我需要将 / login / 添加到我的antMatchers列表中?
What am I missing to satisfy the requirements for CSRF protection? Is it client side? Or am I needing to add /login/ to my list of antMatchers?
推荐答案
我知道它是迟到了,我遇到了同样的问题并设法解决了。
角度http请求中的问题:
I know it's late but, I ran into same problem and managed to solve it. Problem in angular http request:
return this.http.post(tokenUrl, JSON.stringify(model), {headers: headers1});
您需要调整它以便像这样发送:
You need to adjust it to send like that :
return this.http.post(tokenUrl, JSON.stringify(model), {headers: headers1, withCredentials: true});
您必须添加 withCredentials:true
to你的所有http请求。
为什么需要它?每次向Spring(服务器)发送http请求(OPTIONS,POST等)时,它都会生成新的XSRF-TOKEN并将其发送给客户端, withCredentials:true
将保存这个新的浏览器中的XSRF-TOKEN以及稍后用于新的http请求,因此,如果您的一个http请求没有 withCredentials:true
,它将忽略新的XSRF-TOKEN并使用旧的(过期的)XSRF-TOKEN来获取http请求。
You have to add withCredentials: true
to all your http requests.
Why you need it? Each time you send http request(OPTIONS, POST etc) to Spring(server) it will generate new XSRF-TOKEN and issue it to client, withCredentials: true
will save this new XSRF-TOKEN in browser and later on used for new http request, so in case one of your http requests doesn't have withCredentials: true
it will simply ignore new XSRF-TOKEN and use old(expired) XSRF-TOKEN for http request.
这篇关于Angular 2 / Spring Security CSRF实施问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!