All geek questions in one place

Spring CSRF security badge not working with AJAX

I have a problem in my spring boot application with csrf token.

I have a form where I can edit Personality. Man can have

Now imagine that a person has a car, and enter it and save it. Next time he wants to remove this car and introduce another one. I created it so that there is a list of all his cars - he has the ability to remove it from the list. Now I start with these tablets and want to send with the appropriate ID to the POST server. When I try, I get a 403 ban and I have no idea why.

If I switch from POST to GET, it will work.

My JavaScript (taken from this site: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag )

var csrfParameter = $("meta[name='_csrf_parameter']").attr("content"); var csrfHeader = $("meta[name='_csrf_header']").attr("content"); var csrfToken = $("meta[name='_csrf']").attr("content"); // using JQuery to send a non-x-www-form-urlencoded request var headers = {}; headers[csrfHeader] = csrfToken; $.ajax({ url: "./delete/car", type: "GET", headers: headers, }); $.ajax({ url: "./delete/car", type: "POST", headers: headers, });

My controller methods:

 @RequestMapping(value = "/{login}/delete/car", method = RequestMethod.GET) public ModelAndView delete(@PathVariable("login") final String login) { System.out.println("Stop"); return new ModelAndView("redirect:" + WebSecurityConfig.URL_PERSONS_OVERVIEW); } @RequestMapping(value = "/{login}/delete/car", method = RequestMethod.POST) public ModelAndView deleteInstEmp(@PathVariable("login") final String login) { System.out.println("Stop"); return new ModelAndView("redirect:" + WebSecurityConfig.URL_PERSONS_OVERVIEW); }

Any suggestions?

Thanks in advance.

+5
source share
2 answers

OK, after I struggled with all this, I get the following result.

I added the fail method to the Ajax construct and get the following message:

"Failed to execute 'setRequestHeader' in 'XMLHttpRequest': '$ {_ csrf.headerName}' is not a valid HTTP header field name.

the official spring website advises you to put this: <sec:csrfMetaTags /> or from other sources: <meta name="_csrf" th:content="${_csrf.token}"/> in your html file.

After that, you should have access to these attributes in your JavaScript, but in my case I get undefined and ${_csrf.headerName} .

The last attempt was to take a value from a hidden value (chapter 24.5: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags -tag ).

Now I have the following:

 $(function () { var token = $("input[name='_csrf']").val(); var header = "X-CSRF-TOKEN"; $(document).ajaxSend(function(e, xhr, options) { xhr.setRequestHeader(header, token); }); }); $.ajax({ url: "./delete/car", type: "POST", success:function(response) { alert(response); } });

With this, it works like a charm.

+13
source

Another way: you can use the following code:

 $.ajax({ url : './delete/car', headers: {"X-CSRF-TOKEN": $("input[name='_csrf']").val()}, type : 'POST', success : function(result) { alert(result.msgDetail); } })
0
source

Source: https://habr.com/ru/post/973413/

More articles:


All Articles