Logo

dev-resources.site

for different kinds of informations.

Spring Security: CSRF protection

Published at
1/1/2025
Categories
spring
springsecurity
Author
saladlam
Main Article
https://dev.to/saladlam/spring-security-csrf-protection-4jo9
Categories
2 categories in total
spring
open
springsecurity
open
Author
8 person written this
saladlam
open
Spring Security: CSRF protection

Code is extracted from my notice board example application, which uses Spring Security 5.6.7

CsrfFilter filter

CSRF protection is on by default when configuring HttpSecurity. A CsrfFilter is created and has the following function.

When the request method is not "GET", "HEAD", "TRACE" or "OPTIONS". To check if the provided CSRF matches record in the token registry. If not matched, a 403 forbidden response will be returned.

Otherwise, a SaveOnAccessCsrfToken is generated and saved as a HttpServletRequest attribute with name org.springframework.security.web.csrf.CsrfToken and _csrf. This token will not persist unless it is accessed by a template engine. When persistence it is done by HttpSessionCsrfTokenRepository instance and the token will be saved as a HttpSession attribute with name org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN.

Token access by thymeleaf engine

When rendering http form tag, such as

<form method="post" th:action="@{/loginHandler}" class="ui large form">
Enter fullscreen mode Exit fullscreen mode

a hidden input tag will append afterward to provide CSRF token. In other word

<form method="post" action="/loginHandler" class="ui large form"><input type="hidden" name="_csrf" value="3c2ffa6d-ab75-41f3-ba10-7c423bf56071"/>
Enter fullscreen mode Exit fullscreen mode

This is done by SpringActionTagProcessor. Then following method will be called to access CSRF token.

org.thymeleaf.spring5.requestdata.RequestDataValueProcessorUtils#getExtraHiddenFields
org.thymeleaf.spring5.context.webmvc.SpringWebMvcThymeleafRequestDataValueProcessor#getExtraHiddenFields
org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor#getExtraHiddenFields
Enter fullscreen mode Exit fullscreen mode 
@Override
public Map<String, String> getExtraHiddenFields(HttpServletRequest request) {
    if (Boolean.TRUE.equals(request.getAttribute(this.DISABLE_CSRF_TOKEN_ATTR))) {
        request.removeAttribute(this.DISABLE_CSRF_TOKEN_ATTR);
        return Collections.emptyMap();
    }
    CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
    if (token == null) {
        return Collections.emptyMap();
    }
    Map<String, String> hiddenFields = new HashMap<>(1);
    hiddenFields.put(token.getParameterName(), token.getToken());
    return hiddenFields;
}
Enter fullscreen mode Exit fullscreen mode

Reference

  1. Cross Site Request Forgery (CSRF)
springsecurity Article's
30 articles in total
Favicon
Understanding Spring Security and OAuth 2.0
Favicon
Spring Oauth2 - App-Token based Hybrid Token Verification Methods
Favicon
App-Token based easy OAuth2 implementation built to grow with Spring Boot
Favicon
Apache wicket with spring boot example application: notice board
Favicon
Spring Security: CSRF protection
Favicon
Mastering End-to-End Transactional Functionality in Spring Boot with Examples
Favicon
Spring Security: Redirect to login page if access pages which is for authorized user only
Favicon
Understanding the Spring Security Architecture
Favicon
Spring security
Favicon
Implementing Token-Based Authentication in Spring Boot Using Spring Security, JWT, and JDBC Template
Favicon
Implementing One-Time Token Authentication with Spring Security
Favicon
Login system with JWT token and email reset password
Favicon
Keycloak and Spring Boot: The Ultimate Guide to Implementing Single Sign-On
Favicon
Securing Your Spring Boot Application with Spring Security
Favicon
Guia básico de Spring Security
Favicon
OAuth2.0 Spring Boot
Favicon
Spring Boot Caching Simplified: How to Use JetCache Effectively
Favicon
OAuth 2 Token Exchange with Spring Security and Keycloak
Favicon
Implementing Spring Security in Microservices Architecture: A Deep Dive
Favicon
Mastering Spring Security: A Comedy of Errors (and Authentication)
Favicon
Spring Security For Beginners — Part 2
Favicon
Spring Boot with VueJS with Spring Security
Favicon
Spring Security: Protecting Your App from Everyone (Including You!)
Favicon
What is the CORS ?
Favicon
Spring Security For Beginners — Part 1
Favicon
Spring Boot WebSockets: Socket.io + Authentication + Postman
Favicon
Roadmap to Mastering the Spring Framework 🚀
Favicon
Spring Security 103: Exploring Default Security Configuration
Favicon
Spring Security 102: From Setup to Secure Endpoints in Spring Boot
Favicon
Spring Security 101: Understanding the Basics

Featured ones:

Favicon
Open
abubakersiddique761
Favicon
Open
0x3d_site
Favicon
Open
0x2e_tech
Favicon
Open
0x4c-quest
Favicon
Open
gittech