Giriş
Şu satırı dahil ederiz
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
Kısaca CSRF token Cookie içinde saklanır ve gönderilir. Açıklaması şöyle
The CookieCsrfTokenRepository implements the CsrfTokenRepository interface, which defines the contract for storing and retrieving CSRF tokens. It uses cookies to store the CSRF token securely on the client side.When a user visits a web application protected by CSRF, the CookieCsrfTokenRepository generates a CSRF token and stores it in a cookie. The token is also associated with the user's session on the server side. The cookie is typically marked with the "HttpOnly" flag to prevent client-side JavaScript from accessing it, enhancing security.On subsequent requests from the user, the CookieCsrfTokenRepository retrieves the CSRF token from the cookie and validates it against the token associated with the user's session on the server side. If the tokens match, the request is considered valid, and the server processes it. If the tokens don't match or are missing, the server can reject the request as a potential CSRF attack.Using CookieCsrfTokenRepository simplifies CSRF token management in Spring Security, as it handles the generation, storage, and validation of tokens automatically. However, it is important to ensure that cookies are handled securely, such as using secure (HTTPS) connections and properly configuring cookie settings to prevent unauthorized access.
Angular Açısından
Açıklaması şöyle. AngularJS ile aynı şekilde çalışır.
Persist the CSRF token in a cookie named "XSRFTOKEN" and reads from the header "X-XSRF-TOKEN" following conventions of AngularJSBenzer bir açıklama şöyle. Yani normalde Spring'in Http Header içinde göndereceği bilgileri Cookie olarak gönderilmesini sağlar.
Spring Security wants a token sent to it in a header called "X-CSRF".
...
To get it to the client we could send it as a cookie. The last choice is the best because Angular has built in support for CSRF (which it calls "XSRF") based on cookies.
So on the server we need a custom filter that will send the cookie. Angular wants the cookie name to be "XSRF-TOKEN" and Spring Security provides it as a request attribute by default, so we just need to transfer the value from a request attribute to a cookie. Fortunately, Spring Security (since 4.1.0) provides a special CsrfTokenRepository that does precisely this:
withHttpOnlyFalse metodu
Açıklaması şöyle
The withHttpOnlyFalse() method allows the JavaScript on the client-side to read the token from the cookie.
Açıklaması şöyle
withHttpOnlyFalse() is used to disable the "HttpOnly" flag on the CSRF token cookie, allowing client-side JavaScript to read the token if necessary.
Açıklaması şöyle
When you are using HTTP Only, it means that only server can set cookies by Set-Cookie header and the client side (Browser JavaScript) cannot change it. So even if your app has a XSS vulnerability, the attacker cannot change sessionId (cookie).
Örnek
http.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
Örnek
Şöyle yaparız@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
...
.and().csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}
Hiç yorum yok:
Yorum Gönder