Angular 2 / Spring Security CSRF实施问题 [英] Angular 2/Spring Security CSRF implementation problems

问题描述

我正在尝试在Spring Boot API之上构建一个Angular 2页面。我已经配置了CORS（正确的我相信），但我被Spring Security的CSRF保护所阻止。

I'm trying to build an Angular 2 page on top of a Spring Boot API. I have configured CORS (correctly I believe), but I am getting blocked by Spring Security's CSRF protection.

据我所知，Angular 2自RC2起自动处理CSRF，我在RC4上。服务器正在发送一个XSRF令牌以响应来自客户端的POST，如下所示：

It is my understanding that Angular 2 handles CSRF automatically as of RC2, and I am on RC4. The server is sending an XSRF token in response to a POST from the Client as seen here:

我认为Angular 2没有拿起它？我知道CORS正在运行，因为当我将 .ignoringAntMatchers（/ urlhere /）放在 .csrf（）的末尾进行测试时，请求已经完成，所以CORS没有阻止它。这是我对HttpSecurity的配置方法：

I assume that Angular 2 is not picking it up? I know that CORS is working because when I put .ignoringAntMatchers("/urlhere/") on the end of .csrf() to test, the request went through, so CORS is not blocking it. Here is my config method for HttpSecurity:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .authorizeRequests()
            .antMatchers("/auth/**", "/signup/**").permitAll()
            .and()
        .headers() 
            .and()
        .exceptionHandling()
            .and()
        .cors()
            .and()
        .csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

}

我在客户端的登录过程包含一个方法发送凭据，然后使用JWT令牌检索凭据。这两种方法如下：

My Login process on client side consists of a method that first sends credentials, then uses a JWT token to retrieve credentials. The two methods are as follows:

sendCredentials(model) {
   let tokenUrl = 'http://localhost:8080/user/login';
   let headers1 = new Headers({'Content-Type': 'application/json'});

   return this.http.post(tokenUrl, JSON.stringify(model), {headers: headers1});
}

sendToken(token){
   let userUrl = 'http://localhost:8080/rest/user/users';
   let headers2 = new Headers({'Authorization': 'Bearer '+token});

   return this.http.get(userUrl, {headers:headers2});
}

为了满足CSRF保护的要求，我缺少什么？是客户端吗？或者我需要将 / login / 添加到我的antMatchers列表中？

What am I missing to satisfy the requirements for CSRF protection? Is it client side? Or am I needing to add /login/ to my list of antMatchers?

推荐答案

我知道它是迟到了，我遇到了同样的问题并设法解决了。
角度http请求中的问题：

I know it's late but, I ran into same problem and managed to solve it. Problem in angular http request:

return this.http.post(tokenUrl, JSON.stringify(model), {headers: headers1});

您需要调整它以便像这样发送：

You need to adjust it to send like that :

return this.http.post(tokenUrl, JSON.stringify(model), {headers: headers1, withCredentials: true});

您必须添加 withCredentials：true to你的所有http请求。
为什么需要它？每次向Spring（服务器）发送http请求（OPTIONS，POST等）时，它都会生成新的XSRF-TOKEN并将其发送给客户端， withCredentials：true 将保存这个新的浏览器中的XSRF-TOKEN以及稍后用于新的http请求，因此，如果您的一个http请求没有 withCredentials：true ，它将忽略新的XSRF-TOKEN并使用旧的（过期的）XSRF-TOKEN来获取​​http请求。

You have to add withCredentials: true to all your http requests. Why you need it? Each time you send http request(OPTIONS, POST etc) to Spring(server) it will generate new XSRF-TOKEN and issue it to client, withCredentials: true will save this new XSRF-TOKEN in browser and later on used for new http request, so in case one of your http requests doesn't have withCredentials: true it will simply ignore new XSRF-TOKEN and use old(expired) XSRF-TOKEN for http request.

这篇关于Angular 2 / Spring Security CSRF实施问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！