CSRF Token not accepted (Spring) -


i run problem when adding csrf existing , working cors configuration.

everytime post, put or delete triggered error current token have not right 1 (nvalid csrf token 'edff86dc-093a-4df9-8218-e5343506bdf9' found on request parameter '_csrf' or header 'x-csrf-token'.).

but when compare them can't caused tokens. if trigger after (e.g. put) token before sent again , accepted.

so assume there might problem security config don't see i'm missing.

security config:

@override protected void configure(httpsecurity http) throws exception {     http.addfilterbefore(new corsfilter(), channelprocessingfilter.class);     http.authorizerequests()     .antmatchers(httpmethod.options, "/*/**").permitall()     .antmatchers("/logout", "/admin/**").authenticated();     http.csrf().ignoringantmatchers("/guestbook/**");     http.exceptionhandling().authenticationentrypoint(authenticationentrypoint);     http.formlogin().successhandler(authenticationsuccesshandler);     http.logout().logoutsuccesshandler(logoutsuccesshandler);     http.addfilterafter(new csrftokenresponseheaderbindingfilter(), csrffilter.class); }

token filter: 

public class csrftokenresponseheaderbindingfilter extends onceperrequestfilter { protected static final string request_attribute_name = "_csrf"; protected static final string response_header_name = "x-csrf-header"; protected static final string response_param_name = "x-csrf-param"; protected static final string response_token_name = "x-csrf-token";  @override protected void dofilterinternal(httpservletrequest request, httpservletresponse response, javax.servlet.filterchain filterchain) throws servletexception, ioexception {     csrftoken token = (csrftoken) request.getattribute(request_attribute_name);     system.out.println(token.gettoken());     if (token != null) {         response.setheader(response_header_name, token.getheadername());         response.setheader(response_param_name, token.getparametername());         response.setheader(response_token_name , token.gettoken());     }      filterchain.dofilter(request, response); }   }

and instance cors filter:

public void dofilter(servletrequest req, servletresponse res, filterchain chain) throws ioexception, servletexception {     httpservletresponse response = (httpservletresponse) res;     httpservletrequest request = (httpservletrequest) req;     string origin = request.getheader("origin");      response.addheader("access-control-allow-origin", origin);     response.setheader("access-control-allow-credentials", "true");     response.addheader("access-control-max-age", "10");     response.addheader("access-control-expose-headers", "x-csrf-token");     response.addheader("access-control-allow-methods", "get, post, put, delete");      string headers = request.getheader("access-control-request-headers");      if (!stringutils.isempty(headers )) {         response.addheader("access-control-allow-headers", headers );     }      if (request.getmethod().equals("options")) {          try {             response.getwriter().print("ok");             response.getwriter().flush();         } catch (ioexception e) {             e.printstacktrace();         }     } else{         chain.dofilter(request, response);     } }

the problem not only occurs when i'm logged in. if not disable csrf on guestbook path there no post possible.

i hope can give me hint.

greetings

so solved problem. after lot of seach , error discovered csrfprotectionmatcher can used enable csrf on different paths.

anyways confusing me, because thought csrf enabled on every request default. applied csrfprotectionmatcher on "/admin" path (allowing possible methods, specified null) worked. requirecsrfprotectionmatcher on docs.spring.io , detailed article

also it's possible me, work more simple configuration despite old 1 works too.

old 1 csrfprotectionmatcher :

protected void configure(httpsecurity http) throws exception {     requestmatcher csrfrequestmatcher = new requestmatcher() {          private regexrequestmatcher requestmatcher =                 new regexrequestmatcher("/admin", null);          public boolean matches(httpservletrequest request) {              if(requestmatcher.matches(request))                 return true;              return false;         }      };            http.addfilterbefore(new corsfilter(), channelprocessingfilter.class);     http     .csrf()         .requirecsrfprotectionmatcher(csrfrequestmatcher);     http.authorizerequests()     .antmatchers(httpmethod.options, "/*/**").permitall()     .antmatchers("/login", "/**/**/**").permitall()     .antmatchers("/logout", "/admin/**").authenticated();     http.exceptionhandling().authenticationentrypoint(authenticationentrypoint);     http.formlogin().successhandler(authenticationsuccesshandler);     http.logout().logoutsuccesshandler(logoutsuccesshandler);     http.addfilterafter(new csrftokenresponseheaderbindingfilter(), csrffilter.class); }

more simple configuration: 

http.addfilterbefore(new corsfilter(), channelprocessingfilter.class);     http         .csrf()             .requirecsrfprotectionmatcher(csrfrequestmatcher)             .and()         .authorizerequests()             .antmatchers("/**/**")             .permitall()         .anyrequest().authenticated()         .and()         .formlogin()             .successhandler(authenticationsuccesshandler)             .and()         .logout()             .logoutsuccesshandler(logoutsuccesshandler)             .permitall();     http.addfilterafter(new csrftokenresponseheaderbindingfilter(), csrffilter.class);

i have admit still don't know why csrf has explicit enabled. if has answer please tell me.


Comments

Post a Comment

Popular posts from this blog

javascript - jQuery: Add class depending on URL in the best way -

i have html progress meter: <div class="col-md-3" style="margin-left: -20px;"> <div class="progress-pos active" id="progess-1"> <div class="progress-pos-inner"> login </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-2"> <div class="progress-pos-inner"> scan items </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-3"> <div class="progress-pos-inner"> confirm address </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-4"> <div class="progress-pos-in...
Read more

caching - How to check if a url path exists in the service worker cache -

i need check if particular url path exists in service worker cache. example, suppose url is: /myserviceworker/service?a=110&b=70 this url exists in cache, there many of them different values of , b. now, suppose want refresh of these urls, how can that? i want know how access key values service worker cache. if know key, plan follows: var url = new url(key); if(url.pathname === "\/myserviceworker/service") refetch key but not sure how cache key , in format is. mean, string or url? cache api has match() method returns promise resolving in response object if match or undefined if no match exists. second parameter object can specify ignoresearch not take account url parameters. the ignoresearch option supported firefox ( chrome status here ). in other hand, retrieve cache entries, can use keys() method.
Read more

Redirect to a HTTPS version using .htaccess -

i need modify .htaccess file redirect urls https version without "www". http://example.com --> https://example.com http://www.example.com --> https://example.com https://www.example.com --> https://example.com this how .htaccess file looks like: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^(.*)$ redirect.php?id=$1&page=$2 [qsa,l] what modifications need make .htaccess in order forward https without "www"? it depends on doing current code. looks file called redirect trying display php page seo friendly url. think might confusing people. anyway, need , force https without www, need 1 more rule above. also second rule needs two capture groups in rewriterule test string because wanting 2 different values using $1 , $2 references. rewriteengine on #rediect www non www and/or http https --- combinations. rewritecond %{http_host} !^example\.com [nc,or] rewritecond %{https} !^...
Read more