All geek questions in one place

Do I need to protect JAX-RS requests from CSRF?

Is it necessary to protect JAX-RS requests from CSRF ?

By definition, REST is stateless and, therefore, there is no session identifier (session cookie), because there is no session at all (see also https://stackoverflow.com/a/3124017/ ... ).

My Spring Security Security Configuration:

@Configuration @EnableWebSecurity public class SecurityConfig { @Configuration @Order(1) public static class JaxRsWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { @Override protected void configure(final HttpSecurity http) throws Exception { http .antMatcher("/services/**") .csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.OPTIONS, "/services/**").permitAll() .anyRequest().hasAuthority("ROLE_user") .and() .httpBasic() .and() .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS); } } } }

But I found, for example, the following blog: Stateless Spring Protection Part 1: Protection without CSRF without saving. Unfortunately, the blog does not explain why CSRF protection is needed.

Is there another CSRF attack without a session cookie?

+5
source share
2 answers

CSRF attacks do not need a session. A CSRF attack is to do something on behalf of the user by tricking him / her by clicking on the link or submitting the form, which is sent to the application in which the user is logged in.

Whether basic authentication or session cookies are used to identify the user.

Please note that using a cookie does not mean that the application is not stateless. Cookies, like basic authentication, simply consist of sending an additional header with each HTTP request.

+2
source

Access tapes are sometimes stored in a (secure http-only at best) cookie, so clients don’t need to manually add them to each request: cookies are automatically linked to browser requests. This is the reason that CSRF protection must be implemented.

The article you are linking suggests that clients generate and send the same unique secret value in both the Cookie and the custom HTTP header, which is pretty convenient:

Given that a website is read-only / cookie allowed for its own domain, only a real website can send the same value in both headers.

That is, if, for example, you receive an email with fake graphic targeting http://yourserver.com/admin/deleteAll (and the server processes it through GET ...), a unique secret will not be set in the request header (the old one can do everything still present in the cookie): the server must reject the request.

0
source

Source: https://habr.com/ru/post/1234015/

More articles:


All Articles