In my Spring Boot / AngularJS application, I have the following CSRF configuration:
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().csrfTokenRepository(csrfTokenRepository()); http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
final String[] restEndpointsToSecure = WebSecurityConfig.restEndpointsToSecure;
for (final String endpoint : restEndpointsToSecure) {
http.authorizeRequests().antMatchers("/" + endpoint + "/**").hasRole(UserRoleEnum.USER.toString());
}
http.addFilterAfter(csrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);
xAuthTokenConfigurer.setDetailsService(userDetailsServiceBean());
final SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurerAdapter = xAuthTokenConfigurer;
http.apply(securityConfigurerAdapter);
}
The CSRF-Token filter is as follows:
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, javax.servlet.FilterChain filterChain)
throws ServletException, IOException {
final CsrfToken csrf = (CsrfToken)request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
final String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
In general, it works fine, the X-XSRF-TOKEN header request property is sent with every request. BUT I have strange behavior. I am updating my user profile in the application. The first time it works fine, the second, I get HTTP 403 Forbidden, and actually I really don't know why. I do nothing between these two updates (without navigating to other pages between the two updates or something else).
, , - . , Response Set-Cookie X-Application-context. .
- , . .
