Several problems about Springboot +spring security and CSRF

1. Questions

? The list page does not have data when CSRF is turned on

? Page Console.log (403)

HTTP Status 403－Invalid CSRF Token ‘null‘ was found on the request parameter ‘_csrf‘ or header ‘X-CSRF-TOKEN‘.

2. Popular Science

? First of all, popular science, What is "CSRF"?

? This is a Web application security issue, CSRF (Cross-site request forgery) cross-site requests forgery, also known as "one click Attack" or Session Riding, the attacker through the forgery of user requests to access the trusted site.

Client and server in the HTTP protocol based on the interaction of data, because the HTTP protocol itself is a stateless protocol, and later introduced a cookie way to record the service side and client interaction between the state and token. The cookie typically places the session ID generated by the server to identify the client's identity token during client access to the server.

? Another science, what is "cross-domain"?

? The same IP, the same network protocol, the same port, all three are satisfied is the same domain, or there is a cross-domain problem, in the case of cross-domain session ID may be hijacked by a malicious third party, at this time the third party hijacking this session ID will be based on this session ID to the server to initiate the request , the server receives this request and considers it to be a legitimate request, and returns the corresponding service-side update on request.

3. Several key points in spring security

? 1) If this HTTP request is a get-initiated request, it means that it only accesses the server's resources, only queries, and does not update the server's resources, so for such requests, spring Security's defense strategy is allowed;

? 2) If this HTTP request is initiated through a POST request, spring security intercepts such requests by default, because such requests are risky operations with updated server resources, and if a malicious third party can update server resources by hijacking session IDs, That would cause the server data to be tampered with illegally, so this kind of request is blocked by spring security, in the default case, spring security is enabled CSRF interception, which causes, in the case of cross-domain, Post submission requests will be blocked cannot be processed (including a reasonable POST request), the front-end POST request back end does not work properly, although the security of the cross-domain, but the impact of normal use, if the CSRF protection function is turned off, although the post request can be processed normally, However, it is not possible to prevent illegal post requests by hijacking the session ID, so spring security uses the token mechanism in order to properly differentiate legitimate post requests.

? 3) I am under Popular Science: Spring Security 3 is off by default csrf,spring security 4 is started by default CSRF

? 4) If you do not use CSRF, you can disable the csrf of security, as follows

@Overrideprotected void configure(HttpSecurity http) throws Exception {        http.authorizeRequests()                ………………                .csrf().disable(); }

I want to open and active, the following configuration:

What to do on the Java configuration side

@Overrideprotected void configure(HttpSecurity http) throws Exception {        http.authorizeRequests()                ………………         .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); }

# # #H5端怎么做

Description under the online method there are roughly three kinds, I am here to combine our own platform (springboot[v1.5.12]+springsecurity[v4.2.5]+ thymeleaf[v2.1.3]) is doing so

//全局index页面 不需要每个页面 都写<meta name="_csrf_parameter" th:content="${_csrf.parameterName}" th:if="${_csrf}" /><meta name="_csrf_header" th:content="${_csrf.headerName}" th:if="${_csrf}" /><meta name="_csrf" th:content="${_csrf.token}" th:if="${_csrf}" />

var token = $("meta[name=‘_csrf‘]").attr("content");var header = $("meta[name=‘_csrf_header‘]").attr("content");$(document).ajaxSend(function(e, xhr, options) {        xhr.setRequestHeader(header, token);  

Separate AJAX submission think local refresh

var headers = {};    headers[‘X-CSRF-TOKEN‘] = "[[${_csrf.token}]]";     //参数    headers: headers

Several problems about Springboot +spring security and CSRF