Skip to content

Add csrf token support #2434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 17, 2018
Merged

Add csrf token support #2434

merged 2 commits into from
Jun 17, 2018

Conversation

olOwOlo
Copy link
Contributor

@olOwOlo olOwOlo commented May 22, 2018

What's this PR do/fix?

Try to find csrf token and add it to the header of all requests by patching the requestInterceptor. The behavior is based on the configuration described in the spring security reference. The following order is the order of finding the csrf token.

P.S. This implementation will always use the csrf token obtained the first time.

P.S. If necessary, Maybe someone in the future can add the ability to configure these behaviors, I don’t know how to add options. 😢

  1. CSRF token within your meta tags [1]

    The meta name must be _csrf and _csrf_header. / is the page used to query meta data.

    <html>
<head>
  <meta name="_csrf" content="${_csrf.token}"/>
  <!-- default header name is X-CSRF-TOKEN -->
  <meta name="_csrf_header" content="${_csrf.headerName}"/>
</head>

  2. Define an endpoint used to fetch csrf token [2]

    The @RequestMapping value must be /csrf.

    @RestController
public class CsrfController {

  @RequestMapping("/csrf")
  public CsrfToken csrf(CsrfToken token) {
    return token;
  }
}

    It is important to keep the CsrfToken a secret from other domains.
    This means if you are using Cross Origin Sharing (CORS), you should NOT expose the CsrfToken to any external domains.

  3. CSRF token within your cookie [3]

    The default cookie name is XSRF-TOKEN, and the default header name is X-XSRF-TOKEN.

    @EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
	}
}

Are there unit tests? If not how should this be manually tested?

File % Stmts % Branch % Funcs % Lines Uncovered Line #s
csrf.js 82.86 87.5 87.5 81.82 10,11,13,17,19,21

Any background context you want to provide?

Parameter Name Description
requestInterceptor Function=(a => a). MUST be a function. Function to intercept remote definition, Try-It-Out, and OAuth2 requests. Accepts one argument requestInterceptor(request) and must return the modified request, or a Promise that resolves to the modified request.

What are the relevant issues?

#1450

@codecov
Copy link

codecov bot commented May 22, 2018
edited
Loading

Codecov Report

Merging #2434 into master will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master    #2434   +/-   ##
=========================================
  Coverage     95.41%   95.41%           
  Complexity     2956     2956           
=========================================
  Files           336      336           
  Lines          7856     7856           
  Branches        620      620           
=========================================
  Hits           7496     7496           
  Misses          227      227           
  Partials        133      133

@olOwOlo
Copy link
Contributor Author

olOwOlo commented Jun 14, 2018

Hi @dilipkrish , any suggestion?

dilipkrish
dilipkrish reviewed Jun 17, 2018
View reviewed changes
Copy link
Member

@dilipkrish dilipkrish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR! 👍 and 🤘 for the tests! I don't know enough about the javascript ecosystem, so I had one question about the babel configuration change. @kasecato do you have any feedback?

springfox-swagger-ui/src/web/.babelrc Outdated
@@ -4,6 +4,7 @@
"targets": {
"browsers": ["last 2 versions"]
}
}]
}],
"stage-3"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dilipkrish I think they wants to use object-rest-spread.

...request.headers,

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As @kasecato said.

I will push a new commit to refactor it. If you prefer this way, I will revert the commit.

@dilipkrish dilipkrish added the PR label Jun 17, 2018
@dilipkrish
Copy link
Member

@olOwOlo didnt mean for u to change it, was just asking if that has an impact on what browsers are supported. Thank you for doing that tho'.

Also one last question. Does the swagger-ui.html need to change? Seems like it should have the meta tags as u suggested?

<!-- The meta name must be _csrf and _csrf_header. / is the page used to query meta data. -->

<html>
<head>
  <meta name="_csrf" content="${_csrf.token}"/>
  <!-- default header name is X-CSRF-TOKEN -->
  <meta name="_csrf_header" content="${_csrf.headerName}"/>
</head>

@olOwOlo
Copy link
Contributor Author

olOwOlo commented Jun 17, 2018
edited
Loading

@dilipkrish No, swagger-ui.html is a fully static file(Is it?). Meta tags should be included in templates, such as JSP, freemarker, thymeleaf, etc.

@dilipkrish dilipkrish added this to the 2.9.1 milestone Jun 17, 2018
@dilipkrish dilipkrish merged commit 55f3177 into springfox:master Jun 17, 2018
@dilipkrish
Copy link
Member

@olOwOlo thank you!!

@dilipkrish dilipkrish mentioned this pull request Jun 24, 2018
Closed
@olOwOlo olOwOlo deleted the csrf-support branch August 24, 2018 15:25
@olOwOlo olOwOlo mentioned this pull request Aug 24, 2018
Closed
@kzbt kzbt mentioned this pull request Nov 27, 2018
Closed
@mirceanagy mirceanagy mentioned this pull request Mar 27, 2019
Open
@tangxiucai2
Copy link

  1. CSRF

where is CsrfToken class ??

@sinloss sinloss mentioned this pull request Jul 15, 2019
Open
@atoztoa atoztoa mentioned this pull request Dec 4, 2019
Closed
@ahoehma
Copy link

ahoehma commented Feb 28, 2020

Hello guys, sorry but I have to ask :) Is there somewhere a "complete" example how to get rid of "404 for csrf" in spring boot 2.X?

@liuweiGL
Copy link

This is a terrible pr.

@bmistry13
Copy link

If CSRF token in a cookie, how can swagger UI pick it up? The token is changing per ANY POST/PUT/DELETE/PATCH operation. So, is there any logic to pick up the value from the cookie?

@neiser neiser mentioned this pull request Feb 17, 2021
Closed
@artiy1186 artiy1186 mentioned this pull request Jun 29, 2022
Closed
2 tasks
@ddark008 ddark008 mentioned this pull request Nov 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dilipkrish dilipkrish dilipkrish left review comments

@kasecato kasecato kasecato left review comments

Assignees
No one assigned
Labels
PR
Projects
None yet
Milestone
2.9.2
Development

Successfully merging this pull request may close these issues.
7 participants
@olOwOlo @dilipkrish @tangxiucai2 @ahoehma @liuweiGL @bmistry13 @kasecato
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy