Include the CSRF Token in Spring Security | Code Factory

Code Factory
2 min readDec 4, 2019

--

Reference Link : Link

Form Submissions

To implement spring security you must include the CSRF token in all PATH, POST, PUT, and DELETE methods. One way to approach this is to use the _csrf request attribute to obtain the current CsrfToken. An example of doing this with a JSP is shown below:

<form action="${logoutUrl}" method="post">
    <input type="submit" value="Log out" />
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>

*Note : If you are using Spring MVC <form:form> tag or Thymeleaf 2.1+ and are using @EnableWebSecurity, the CsrfToken is automatically included for you (using the CsrfRequestDataValueProcessor).

Ajax and JSON Requests

If you are using JSON, then it is not possible to submit the CSRF token within an HTTP parameter. Instead you can submit the token within a HTTP header. A typical pattern would be to include the CSRF token within your meta tags. An example with a JSP is shown below:

<head>
    <meta name="_csrf" content="${_csrf.token}" />
    <!-- default header name is X-CSRF-TOKEN -->
    <meta name="_csrf_header" content="${_csrf.headerName}" />
</head>

You can then include the token within all your Ajax requests. If you were using jQuery, this could be done with the following:

$(function() {
    var token = $("meta[name='_csrf']").attr("content");
    var header = $("meta[name='_csrf_header']").attr("content");
    $(document).ajaxSend(function(e, xhr, options) {
        xhr.setRequestHeader(header, token);
    });
});

CookieCsrfTokenRepository

There can be cases where users will want to persist the CsrfToken in a cookie. By default the CookieCsrfTokenRepository will write to a cookie named XSRF-TOKEN and read it from a header named X-XSRF-TOKEN or the HTTP parameter _csrf.

You can configure CookieCsrfTokenRepository in XML using the following:

<http>
    <!-- ... -->
    <csrf token-repository-ref="tokenRepository" />
</http>
<b:bean id="tokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository" p:cookieHttpOnly="false" />

You can configure CookieCsrfTokenRepository in Java Configuration using:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }
}
Code Factory
Spring
Spring Security
Token
Tokenization

--

--

Code Factory

Written by Code Factory

48 Followers

More from Code Factory

See all from Code Factory

Recommended from Medium

Lists

Natural Language Processing

669 stories283 saves
Databricks role-based and specialty certification line-up.

New_Reading_List

174 stories133 saves

Staff Picks

464 stories317 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams