Our application is a spring boot with angular. Due to security reasons, we need to implement CSRF. We have done the implementation but still getting 403 forbidden. We do use OAM login authentication. In spite of setting HTTPonly to false,in-browser we see that it is not false. We can well see the token.
HttpClientXsrfModule.withOptions({cookieName: 'XSRF-TOKEN', headerName: 'XSRF-TOKEN'})
This is the code in the angular frontend.
We have done implemented the below code at backend: Configuration class:
http
.httpBasic()
.and()
.csrf() // csrf config starts here
ignoringAntMatchers(CSRF_IGNORE) // URI where CSRF check will not be applied
.csrfTokenRepository(csrfTokenRepository()) // defines a repository where tokens are stored
.and()
.addFilterAfter(new CsrfFilter(), CsrfFilter.class);
private CsrfTokenRepository csrfTokenRepository() {
CookieCsrfTokenRepository repo = CookieCsrfTokenRepository.withHttpOnlyFalse();
/*repo.setHeaderName(CsrfFilter.CSRF_COOKIE_NAME);*/
repo.setHeaderName("XSRF-TOKEN");
return repo;
}
And the filter code:
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = new Cookie("XSRF-TOKEN", csrf.getToken());
cookie.setPath("/");
response.addCookie(cookie);
}
filterChain.doFilter(request, response);
}
};
} ```
Any help and suggestions are welcome.
We are in doubt that may be OAM authentication does not go with CSRF implementation.
