-1

How to implement csrf per request in spring security 3.2.Currently it is handled per session .This is a must requirement

Please post the changes that needs to be performed.

in securitycontext.xml 

  <http>
    <csrf />
    </http>

is given and application is working with token per session

Fedrik
  • 76
  • 2
  • 9

2 Answers2

1

You can change the default implementation of CsrfTokenRepository by providing your own implementation of this interface and configure it like:

<http>
    <csrf token-repository-ref="myRequestCsrfTokenRepository"/>
</http>
<b:bean id="myRequestCsrfTokenRepository"
        class="com.company.security.RequestCsrfTokenRepository"/>

But... although you wrote that this is a must requirement, you should really rethink it again. I would even advice to try convincing the other end that this change could bring more security to the app users but can also bring a lot of inconveniences, sometimes strange behaviors and in general decrease the usability and user experience. E.g. see Different csrf token per request in Spring security

Community
  • 1
  • 1
Drazen Nikolic
  • 508
  • 4
  • 14
  • 1
    I completely agree, per request is overkill, and you will spend a lot of time (weeks) trying to get it to work in a way that will not annoy the end-users. The default implementation stores the CSRF token in the session, when you change this to per-request, it basically makes it impossible to have multiple tabs! – Klaus Groenbaek Feb 11 '17 at 00:48
  • Thank you for the answer.I tried creating custom repository but i am not getting clear picture on the implementation.my implementation is not allowing me to login itself.if we create new token on each request how can we compare the tokens ?Could you please help. – Fedrik Feb 11 '17 at 17:03
  • The security team was trying to access using the same token.i was under the impression that they took the response token .My bad.By implementing this one token will be used for a request ..i got it will implement thanks. – Fedrik Feb 13 '17 at 06:43
  • Please can you give code of com.company.security.RequestCsrfTokenRepository ? – Amit Das Feb 21 '17 at 10:07
  • I am not sure why this is an accepted answer. The job of validating and setting the token is done by the CSRFFilter and not the repository. Anybody who needs a Nonce Token must add a Custom Filter for CSRF – Vishnoo Rath Jun 30 '20 at 06:57
0

I have implemented a custom csrf token repository which generates a new token for every http POST/DELETE req. I don't think token should be renewed for http GET, and if you look into source code of spring CsrfFilter class, it has a inner class DefaultRequiresCsrfFilter, which pass token checking for GET method.

The custom csrf token repository needs to implement interface CsrfTokenRepository. Actually I have reuse most of code of HttpSessionCsrfTokenRepository, which is spring default. The function that needs custom implementation is loadToken()

/*Customized loading token function, which invalidate the CSRF token once it is consumed. A new token is generated on next http req.*/

    public CsrfToken loadToken(HttpServletRequest request) {
        HttpSession session = request.getSession(false);
        CsrfToken token = session == null ? null : (CsrfToken)session.getAttribute(this.sessionAttributeName);
        if (/*HERE http request can be checked to see if it is a POST/DELETE */) {
            if (session != null) {
                //Remove the old token from session, and new token will be generated for next req 
                session.removeAttribute(DEFAULT_CSRF_TOKEN_ATTR_NAME);
            }
        }
        return token;
    }

And to get custom csrf token repository loaded, it needs to be configured in security.xml, as described in answers above.

Juan Feng
  • 1
  • 1