AngularJS XSRF Strategy Does Not Follow Cookie Paths

Question

AngularJS XSRF Strategy Does Not Follow Cookie Paths

I have three spring boot applications running on the same server with different paths. All three of them expose API endpoints, and one of them also serves web resources such as HTML, JavaScriptand CSS.

Annex 1:

Serves user interface files
Serves API Endpoints

Appendix 2

Serves API Endpoints

Appendix 3

Serves API Endpoints

So far, we have only allowed CSRF validation for application 1. What worked well with org.springframework.security.web.csrf.CookieCsrfTokenRepository. We send XSRF-TOKENas a cookie, and angularJs sends back X-XSRF-TOKENin the header in each request.

Now we plan to introduce XSRFthe other two applications in the same way as for application 1.

. AngularJs XSRF-TOKEN 1 , TOKEN ( ).

CSRF .

, .

Spring-boot version     : 1.5.3
Angular version         : 1.3.18

  <beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository">
    <beans:property name="cookieHttpOnly" value="false" />
  </beans:bean>

,

{
  "timestamp": 1509437659613,
  "status": 403,
  "error": "Forbidden",
  "message": "Invalid CSRF Token '2fa60cb2-803f-4b2b-a1d6-7e10e56ca649' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
  "path": "/application2/posturl/path"
}

2fa60cb2-803f-4b2b-a1d6-7e10e56ca649 - 1 cookie/application1.

:

, cookie httpOnly=false.
, XSRF-TOKEN cookie Chrome .
angular, .
WAR IP- .

, angular cookie, cookie XSRF-TOKEN.

?

+4

java javascript spring angularjs cookies

Raja Anbazhagan 31 . '17 8:26

2

Angularjs Spring Spring cookie xrsft ( ).

Angular , cookie ( $cookies.get(key));

+1

Marco 31 . '17 9:59

Raja Anbazhagan · Accepted Answer · 2017-11-08T06:13:20+0000

, csrfTokenRepository AngularJs, cookies URLs, cookie Path.

<beans:bean id="csrfTokenRepository" 
    class="org.springframework.security.web.csrf.CookieCsrfTokenRepository">
    <beans:property name="cookieHttpOnly" value="false" />
    <beans:property name="cookiePath" value="/" />
    <beans:property name="cookieName" value="APP-1-XSRF-TOKEN" />
    <beans:property name="headerName" value="APP-1-X-XSRF-TOKEN" />
</beans:bean>

, cookieName headerName . ( , headerName , .)

AngularJs .

app.config(['$httpProvider', function ($httpProvider) {
    $httpProvider.interceptors.push(function ($q) {
        return {
            'request': function (config) {
                var readCookie = function (k, r) {
                    return (r = RegExp('(^|; )' + encodeURIComponent(k) + '=([^;]*)').exec(document.cookie)) ? r[2] : null; //CafePasta from https://stackoverflow.com/a/5639455/2557818
                };
                if (config.url.indexOf("/app1") > 0) {
                    config.headers['APP-1-X-XSRF-TOKEN'] = readCookie("APP-1-XSRF-TOKEN", document.cookie);
                } else if (config.url.indexOf("/app2") > 0) {
                    config.headers['APP-2-X-XSRF-TOKEN'] = readCookie("APP-2-XSRF-TOKEN", document.cookie);
                } else if (config.url.indexOf("/app3") > 0) {
                    config.headers['APP-3-X-XSRF-TOKEN'] = readCookie("APP-3-XSRF-TOKEN", document.cookie);
                }
                return config || $q.when(config);
            }
        };
    });
}]);

AngularJS XSRF Strategy Does Not Follow Cookie Paths

More articles: