I have three spring boot applications running on the same server with different paths. All three of them expose API endpoints, and one of them also serves web resources such as HTML
, JavaScript
and CSS
.
Annex 1:
- Serves user interface files
- Serves API Endpoints
Appendix 2
- Serves API Endpoints
Appendix 3
- Serves API Endpoints
So far, we have only allowed CSRF validation for application 1. What worked well with org.springframework.security.web.csrf.CookieCsrfTokenRepository
. We send XSRF-TOKEN
as a cookie, and angularJs sends back X-XSRF-TOKEN
in the header in each request.
Now we plan to introduce XSRF
the other two applications in the same way as for application 1.
. AngularJs XSRF-TOKEN 1 , TOKEN ( ).
CSRF
.
, .
Spring-boot version : 1.5.3
Angular version : 1.3.18
<beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository">
<beans:property name="cookieHttpOnly" value="false" />
</beans:bean>
,
{
"timestamp": 1509437659613,
"status": 403,
"error": "Forbidden",
"message": "Invalid CSRF Token '2fa60cb2-803f-4b2b-a1d6-7e10e56ca649' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
"path": "/application2/posturl/path"
}
2fa60cb2-803f-4b2b-a1d6-7e10e56ca649
- 1 cookie/application1.
:
- , cookie
httpOnly=false
. - ,
XSRF-TOKEN
cookie Chrome
. - angular,
.
- WAR IP- .
, angular cookie, cookie XSRF-TOKEN
.
?