How to implement spring security default CSRF protection with angularJS

Question

I have a spring boot application which i secured with spring security. now I want to protect it from CSRF vulnerability, so I added this line to my spring security configuration :

http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())

For the client side, I'am using angularJS 1.6. I added these two lines to my app.js file :

$httpProvider.defaults.xsrfCookieName = 'XSRF-TOKEN';
$httpProvider.defaults.xsrfHeaderName = 'X-XSRF-TOKEN';

Now I'm getting unauthorised status when i try to do some request
I think i'am missing something, anyone could help me ?

---- More details : here is my spring security configuration :

@Override
protected void configure(HttpSecurity http) throws Exception {

    System.out.println("Setting up Security configuration");

    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()/*.disable()*/
            .addFilterBefore(new AlreadyConnectedFilter(),UsernamePasswordAuthenticationFilter.class)
            .authenticationProvider(authProvider)
            .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
            .and()
            .formLogin()
            .permitAll()
            .loginProcessingUrl("/login")
            .usernameParameter("username")
            .passwordParameter("password")
            .successHandler(authSuccessHandler)
            .failureHandler(authFailureHandler)
            .and()
            .logout()
            .permitAll()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "DELETE"))
            .logoutSuccessHandler(logoutSuccessHandler)
            .and()
            .sessionManagement()
            .maximumSessions(-1)
            .expiredSessionStrategy(new CustomSessionInformationExpiredStrategy())
            .sessionRegistry(sessionRegistry());

    http.httpBasic().and().authorizeRequests()
            .anyRequest().permitAll();

    http.exceptionHandling()
            .accessDeniedHandler((request, response, accessDeniedException) -> {
                response.setContentType("application/json");
                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                Map<String, Object> contentToSend = new HashMap<>();
                contentToSend.put("message", accessDeniedException.getMessage());
                contentToSend.put("errors",new ArrayList<>());
                contentToSend.put("status",response.getStatus());
                PrintWriter writer = response.getWriter();
                writer.write(new ObjectMapper().writeValueAsString(contentToSend));
                writer.flush();
            })
            .authenticationEntryPoint((request, response, authException) -> {
                response.setContentType("application/json");
                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                Map<String, Object> contentToSend = new HashMap<>();
                contentToSend.put("message", authException.getMessage());
                contentToSend.put("errors", new ArrayList<>());
                contentToSend.put("status", response.getStatus());
                PrintWriter writer = response.getWriter();
                writer.write(new ObjectMapper().writeValueAsString(contentToSend));
                writer.flush();
            });
}

Here is waht I get when i try to make a post request: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'. — anasse hanafi, Jan 29 '18 at 14:07
Check https://sdqali.in/blog/2016/07/20/csrf-protection-with-spring-security-and-angular-js/ — Justinas Jakavonis, Jan 29 '18 at 14:25
I want to use the default spring security protection, in this example they use a custom filter .... I believe that i'am missing something in the client side @Justas — anasse hanafi, Jan 29 '18 at 14:37

How to implement spring security default CSRF protection with angularJS

0 Answers0