All Questions
272 questions
0
votes
0
answers
121
views
How Does Spring Boot Validate CSRF Tokens Stored in Cookies?
Csrf is really confusing, im using an example on github to learn about it.
Link spring-security-angular-csrf-login
Thanks marcusdacoregio.
Now,i see that a csrf token is stored in a cookie and sent to ...
- 23
0
votes
0
answers
78
views
Store a crsf token on a cookie
Well, im learning about csrf protection for my angular - spring boot app.
Now, i've been reading about this on angular documentation and it says
HttpClient supports a common mechanism used to prevent ...
- 23
0
votes
0
answers
105
views
Should CSRF token endpoint be let unauthenticated?
I'm trying my hands on building a web application with React Frontend and Spring boot backend. My Frontend will talk to my Backend only via Rest API calls (No server-side generated pages will be sent)....
- 312
0
votes
1
answer
313
views
Is BREACH protection necessary for SPA by Spring Security?
I have a typical web application where my backend is based on Spring Boot 3.2 having Spring Security 6.2+, and my frontend is based on Angular 13+
According to Spring CSRF configuration for SPA docs ...
- 4,250
0
votes
1
answer
112
views
"An expected CSRF token cannot be found" Springboot 3.2.1 gateway + Springsecurity 6.2.1
I am working on a basic microservices architecture system. Currently, I am trying to implement security on my gateway. However, when I try to send a POST via Postman to http://localhost:8765/api/auth/...
1
vote
0
answers
463
views
Making Angular add X-XSRF-TOKEN header despite having not root cookie
In our application (frontend is in angular, backend in java) there's the problem of not adding the X-XSRF-TOKEN header on a request, resulting in backend returning 403 (forbidden).
The xsrf mechanism ...
- 144
5
votes
0
answers
459
views
csrf() doesn't work with WebTestClient in non-reactive code
I want to use a WebTestClient for integration tests in spring boot on non-reactive code.
Endpoint which I want to use has csrf protection provided by spring security.
When I use test like below:
@...
- 51
1
vote
1
answer
2k
views
Spring security 6.0 - oauth2Login with MS Azure and CSRF token - how to login there in Postman?
I'm beginner in Spring Security configuration and my purpose is set 2 things:
CSRF token
Authorization by Microsoft Azure
Firstly I've added oauth client in properties:
spring.security.oauth2.client....
- 145
-1
votes
1
answer
305
views
Deprecated methods in Spring 6.1.1
I am trying to implement SecurityfilterChain and many methods have been deprecated such as cors(), and(), authorizeHttpRequests() and formLogin().
I am lost and I don't know how to fix my code:
@...
1
vote
2
answers
510
views
Spring 3 -- can't refresh csrf token
I have a production application that will refresh a csrf token like so
private static final String CSRF_TOKEN_SETTER = "window.import.meta.env.CSRF_TOKEN=\"%s\";";
// sets ...
- 143
1
vote
1
answer
2k
views
Spring security and filter chain
Good morning.
I'm struggling about filterchain and security configuration for spring security
@Configuration
public class SecurityConfiguration {
@Autowired
private ...
0
votes
1
answer
462
views
Why does Spring Security's CsrfFilter's CsrfTokenRequestHandler.resolveCsrfTokenValue method always return 'null'?
I am configuring CSRF protection using Spring Security. However, I am encountering an issue where the resolveCsrfTokenValue method of CsrfFilter always returns null.
In the resolveCsrfTokenValue ...
0
votes
0
answers
222
views
Client request fails due to CSRF check in Spring Boot test
I have a spring boot application and I'm trying to write an integration test that will check that everything works from the client request to the server response including DB queries, etc.
Here is my @...
- 5,399
3
votes
3
answers
7k
views
"An expected CSRF token cannot be found" using Spring boot 3.0.5
I am using Spring boot 3.0.5 along with Spring Security 6.
I am facing this issue when I am trying to call an endpoint to register an account into the application: An expected CSRF token cannot be ...
2
votes
2
answers
1k
views
Does spring-security automatically disable CSRF when Authorization header (bearer jwt token) is used?
I have configured by spring boot application to work as an oauth2 resource server which expects JWT tokens in every request. Im seeing some behaviour with Spring Security such as below:
If I don't ...
- 2,055
2
votes
1
answer
1k
views
Websockets - CSRF with Spring Boot and STOMP
How is CSRF over WebSockets expected to work?
I am sending a CSRF Token as STOMP header on the Connect but the org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor does not seem to ...
- 729
5
votes
1
answer
8k
views
Spring Security not sending CSRF token in REST Application
I'm new to Spring Security and I'm trying to understand the CSRF mechanism. I have a Spring based application with Angular. As far as I know, Spring will send a CSRF Token in a cookie on the first GET ...
- 53
1
vote
1
answer
745
views
Why can CookieCsrfTokenRepository.withHttpOnlyFalse() in spring security handle CSRF attack?
CookieCsrfTokenRepository.withHttpOnlyFalse() stores the XSRF Token in cookies, and allows front-end to extract cookie contents using JS code. The front-end then appends XSRF Token to http header.
But ...
- 461
0
votes
1
answer
708
views
Can't access Spring Security /login endpoint when CSRF is enabled
I've found quite a few questions about this, but no real answers in my case. I am using Spring with Java on my back-end and a React front-end with Axios JS. When trying to access the /login endpoint ...
- 69
0
votes
1
answer
2k
views
CSRF on spring cloud gateway removing formData from POST requests 400 bad request error
I have enabled CSRF on my spring cloud api gateway server.
I have angular as my GUI framework which calls the rest services through the api gateway.
I have used a custom filter to add the CSRF token ...
- 614
-1
votes
1
answer
701
views
CSRF token not provided with spring boot 2.7.1
I was using version 2.6.x of spring boot with success.
I've switched to 2.7.1. and adapted some of my security config to match the new format.
But now the CSRF token are no longer generated for me and ...
- 6,404
2
votes
1
answer
4k
views
How to fix "To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead."
I am using Spring Boot 2.7.0 (http://localhost:8080) , JDK/Java 17, React 18 (http://localhost:3000).
Error
2022-06-14 08:42:49 ERROR o.a.c.c.C.[.[.[.[dispatcherServlet] - Servlet.service() for ...
- 52.1k
0
votes
0
answers
1k
views
Java SpringBoot Spring Security: http.csrf().disable().build() Invalid CSRF-token
Small question regarding Java SpringBoot + Spring Security app please.
I have a web app, which is designed as a server, to be called only by other servers.
There are no webpages at all involved, no ...
- 4,782
1
vote
0
answers
2k
views
Spring CSRF unrestricted RequestMapping
Small question regarding a SonarQube scan on a SpringBoot project please.
I have a very simple handler, super simple, as follow:
@ResponseBody
@RequestMapping(method = { RequestMethod.GET, ...
- 4,782
0
votes
1
answer
1k
views
Which mechanism to use for CSRF token handling with spring security
I am new to web security and implementation of same using spring-security. One important concept is prevention from CSRF using CSRF token. Spring security has provided two ways to manage CSRF token
...
- 111
2
votes
1
answer
7k
views
Invalid CSRF token found - Spring Boot and Axios
I would like to post using Axios to my Spring Boot server. If I disable csrf using .csrf().disable() it works correctly however it fails when enabled.
I've tried adding X-CSRF-TOKEN to the header, or ...
- 4,283
0
votes
1
answer
425
views
Disable CSRF for specific URLs SPA Spring Gateway WebFlux
I have next CSRF code in WebFilterChain:
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.requireCsrfProtectionMatcher(getURLsForDisabledCSRF())
I ...
- 15
1
vote
0
answers
2k
views
Spring Cloud Gateway POST Forbidden with CSRF enable
I want to enable CSRF in Spring Cloud Gateway with webflux. I have minimum configuration for that as described in link:
https://docs.spring.io/spring-security/site/docs/5.2.x/reference/html/protection-...
- 489
1
vote
4
answers
547
views
In what package is now located the .csrf() method in Spring 5?
I am trying to write an IT.
mockMvc.perform( post( "/my_endpoint" )
.contentType( MediaType.APPLICATION_JSON )
.header("Authorization", my_credentials)
...
- 2,178
3
votes
1
answer
2k
views
How can front-end get the CSRF token generated from the back-end?
I'm developing a back-end API of a web application (using Spring Boot). The API authenticates the users using JWT tokens. I have an endpoint for registering an account (POST /register).
Since it is a ...
- 176
1
vote
0
answers
510
views
How to test CSRF protection on Spring?
If I am not mistaken, CSRF protection is enabled by default with the Java configuration.
Currently on my Spring Boot Project I have created a configuration class in which I have set a control that ...
- 197
1
vote
1
answer
3k
views
CSRF token is configured but still POST requests are not working in spring boot app
I having a starnd Spring boot application and have configured csrf in my sprint security configuration as below:
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()....
- 75
0
votes
0
answers
57
views
How to handle csrf in spring boot production ready projects
I am quite new to spring boot, And i was asked to implement post microservice endpoint to expose to other system to post some data in db(which I have handled through java code)
And I am planning to ...
2
votes
0
answers
142
views
spring gateway server fail when gateway server protected witeh csrf and request content type is application/x-www-form-urlencoded
spring gateway server cannot get response from upsteam server when gateway server protected witeh csrf and request content type is application/x-www-form-urlencoded
there are two simple server.
the ...
- 21
0
votes
1
answer
165
views
Spring boot throws 403 for Mobile requests even when csrf is disabled
I have a simple Spring boot application that has a POST rest api method to register users. This works perfectly when I test it through Postman. But when I test it from my Mobile application, this ...
- 57
0
votes
0
answers
157
views
How to get CSRF token from the GET /csrf endpoint? [duplicate]
My goal is to add CSRF to STOMP headers.
What I've tried and it does work, but I am not sure whether I should use this or not as I do not found this solution on the Spring Security Reference:
Use ...
- 2,071
0
votes
0
answers
869
views
Spring Security CSRF Cookie ignored by chrome
I am trying to implement CSRF protection using spring and angular. In Spring, I configured:
CookieCsrfTokenRepository cookieCsrfTokenRepository = new CookieCsrfTokenRepository();
...
0
votes
1
answer
466
views
How to enable CSRF for all request in Spring Security
As spring disables CSRF token for certain methods like GET, how we can enable CSRF token validation for all requests including GET using spring security.
- 576
2
votes
0
answers
2k
views
How are CSRF tokens stored on the server side ( by spring security or tomcat)
This question is not about how CSRF tokens works, but is rather about they are stored on the server side.
In short, CSRF tokens are generated by server and injected in to the web page/form. When the ...
- 3,640
0
votes
1
answer
1k
views
Error 403 on Spring Boot web API without Spring Security
I'm building a web API based on Spring Boot with the following POM configuration
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4....
- 309
0
votes
2
answers
546
views
Spring security: activating csrf protection breaks other functionality
I'm using Spring Security 5.0.13 and I'd like to activate the csrf protection for the login page. I'm using the xml configuration, which I changed from
<http>
...
<csrf disabled="...
- 1
0
votes
1
answer
1k
views
CSRF disable doesn't work in Spring Security
I'm currently testing a REST API with Spring Security. Because this is just testing, I'm disabling CSRF. With the code below, a Postman get request to /users works perfectly, but any other type of ...
- 3
4
votes
1
answer
1k
views
spring boot angular csrf token handshake error
So I keep on getting a error regarding a request from my fronted (angular) to my backend (springboot). I have a assumption that I don't send it correctly from my frontend to the backend.
spring ...
user14023348
1
vote
0
answers
46
views
spring can not receive csrf token from angular request
So I have this problem where I can't get any further. My backend returns a csrf token on every request (httpbasic disabled).
But somehow even though I send it back to spring through angular I get a ...
- 11
1
vote
0
answers
78
views
spring security implementation to secure REST APIs in my spring boot project
I have a RestController which has one API that is used to authenticate a user. I want this API to be accessible by anyone whether authenticated or not and irrespective of their roles. In other words, ...
0
votes
1
answer
295
views
Spring: How to protect a login page against csrf (without breaking changes)?
I have a Java project which uses Spring.
I need to protect the login page against CSRF attacks.
At the moment, my Spring xml configuration file contains
<http>
...
<csrf disabled=&...
- 1
15
votes
2
answers
19k
views
What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
I am trying to learn Spring Security right now and I have seen many different examples using this. I know what CSRF is and that Spring Security enables it by default.
The thing that I am curious about ...
- 561
0
votes
0
answers
251
views
Spring CSRF invalidates the manual logged-in session
I am using spring in my web application. I have a signup form. The user fills up this form, the server creates the user account and programmatically logs in the user. The manual login invalidates the ...
- 133
1
vote
0
answers
298
views
REST APIs POST/PUT/DELETE methods works in Postman only with CSRF off (Spring Security)
I am trying to send JSON via Postman to my aplication, but always getting error:
HTTP Status 405 ? Method Not Allowed
Message: Request method 'POST' not supported
Description: The method received in ...
