This feature provides components to help you protect against CSRF attacks. CSRF protection support was introduced with Spring Security 3.2. It provides first class integration with Spring Web MVC. In general, the integration is straightforward with web applications that employ “traditional” server-side HTML rendering (i.e. multi-page applications).
Add the module by including the following dependency in your POM:
<dependency>
<groupId>com.netcetera.girders</groupId>
<artifactId>girders-starter-csrf</artifactId>
</dependency>
The challenge with single-page applications is transporting the CSRF synchronizer token to the client for usage in subsequent REST API calls.
A common approach is to set a cookie to pass the token value to the client. The token value
is then read by client JavaScript code and set as a HTTP header X-CSRF-TOKEN
with Ajax requests to
CSRF protected endpoints. This approach is supported by e.g. the
Angular http service.
This feature provides a simple servlet filter CsrfTokenCookieBindingFilter
to support this use-case.
The filter is meant to be used in conjunction with the Spring Security CsrfFilter
setup to enable
CSRF protection.
To make use of the filter, add it to the Spring Security filter chain as follows:
http.
// Your custom HttpSecurity configuration...
// Note: CSRF protection is enabled by default (i.e. CsrfFilter is setup)
addFilterAfter(new CsrfTokenCookieBindingFilter(), CsrfFilter.class)
By default, the filter sets a cookie CSRF-TOKEN
using the context path as the cookie path. To use a fixed cookie path
just pass the path to the filter constructor. E.g.: new CsrfTokenCookieBindingFilter("my-cookie-path");
It should be noted that the CSRF functionality provided by Girders builds on top of Spring Security which means that, by
default, you will also get the Spring Security auto configuration enabled in your application. If you don't need that
auto configuration, you can either disable it completely by excluding the SecurityAutoConfiguration
in your
@EnableAutoConfiguration
annotation or you can just disable the configuration of basic authentication by setting the
security.basic.enabled
application property to false
.