How can we handle the csrf attack with spring security in spring boot

Question

Iam developing a web application in Spring boot with spring security.

Here are the codes that I used for implementing csrf

Configuration class....

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity security) throws Exception {
        // TODO Auto-generated method stub
        security.httpBasic().disable();
        security.authorizeRequests()
                 .antMatchers("/DDR/**").permitAll()
                 .antMatchers("/assets/**").permitAll();
    }

}

Added the below comments in JSP

    <meta name="_csrf" content="${_csrf.token}" />
    <meta name="_csrf_header" content="${_csrf.headerName}" />

getting the values in js

var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");

And finally added the header in Ajax request

headers : {
    "X-CSRF-TOKEN" : token
},

Do we need any other coding in server side(java side) for validating the CSRF??or will the spring security handle that?? Thanks in advance.

score 1 · Answer 1 · answered Aug 28 '20 at 08:13

Everything seem right. CSRF protection is enabled by default with Java configuration. To make sure everything thing is working you can check every request that you are sending csrf header value. Also you should try to do a csrf attack on your application to test. You can create a dummy application which calls your post api and check the response in the dummy application. If everything is configured correctly, 403 should be returned.

How can we handle the csrf attack with spring security in spring boot

1 Answers1