I have enabled CSRF in my Spring + Thymeleaf application. The good thing is that Thymeleaf automatically takes care of adding CSRF to every < form > in html. The problem is that Ajax calls submitting those forms are now failing and I want to know if there is a standard solution to this.
The other issue on the other hand is that my application is going to support Restful APIs. When I am enabling CSRF in my application, the authentication from client using API fails.
So the question is that is there a way to enable CSRF for web browsing and disable it for my Restful API?
On the other hand disabling the CSRF makes restful APIs vulnerable to attacks if the attacker knows about them. So what is the best practice here?
Thanks
For First Scenario to submit form using ajax call you need to manually add hidden input generated by csrf in form.
For second case you can exclude some url from interceptor in your case you can exclude url from CSRF interceptor.
exclude tag is present in spring 3.2
<mvc:interceptor>
<mvc:exclude-mapping path="/your_url"/>
</mvc:interceptors>
Related
I need to know If I can use JWT in grails application using spring security plugin. I want to generate token store it in cookie and than use it to login. Is it Possible through spring security plugin?
Please checkout https://github.com/alvarosanchez/grails-spring-security-rest the rest security plugin. It has support for JWT and is straight forward to configure.
Be aware that there's a possible security issue with JWT (the user is serialized in the JWT token and deserialized without checking the existence of the user), I made a pull request for this.
I'm about to implement a token based authentication system with Spring Boot and Json web token. I have a frontend app built with Angular. My understanding is that once authenticated, all API calls from the angular app will send the token to the server to be verified before a response is sent back.
I'm wondering then how Spring Security would fit into the picture. It seems like it is no longer necessary if I just use the server to verify the token every time the frontend makes a call.
My question is whether or not Spring Security is required in this instance and if it is, what role will/can it play?
I would like to know from the outset before diving in. Thanks!
How can I prevent CSRF protection using Tomcat 7 ?
I have heard that tomcat 7 provides CSRF filter
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/filters/CsrfPreventionFilter.html
But is it thread safe ?
Or shall we do a custom protection in our spring 3 application ?
CsrfPreventionFilter is a good way to prevent CSRF attacks, altough it's part of the tomcat code base and is based on putting the token in the URL.
This means the token will be logged etc, it's better to put the token in a hidden field in each form of the page.
Spring security 3.2 will have built-in support, and the solution would also work in other application servers. But depending on your application there is probably no need for building a custom protection at the spring level, the tomcat solution works OK.
The tomcat filter is thread-safe, given that each http request is handled from beginning to end by one thread, and that the token cache has synchronized access.
I and my team have developed a small spring project. We have jsp pages in which we have written ajax calls and through these calls data is fetched, as JSON, and displayed through javascript. Now we need to add security to both, the JSP pages and REST services.
Our requirements:
The server should be stateless
Client cannot be expected to store cookies.
Credentials sent to the server should not be plain text
I am new to Spring Security so I would appreciate if I can get any help in implementing it.
1 . The server should be state less.
Starting spring 3.1 it is easy as setting an attribute in your spring security http tag.
<http create-session="stateless"> ..</http>
2 . Client cannot be expected to store cookies.
Then I would opt for basic authentication for the rest api and ajax calls.
The client however has to cache the username and password and send it with each request.
3 . Credentials to the server should not be plaintext.
Use HTTPS with a valid SSL Certificate.
I have a Spring MVC application that uses Spring Security to handle user login authentication, which works fine.
Now I want to add some Ember.js and Angular.js code to the HTML pages that accesses the Spring RESTful web services (which just return JSON data).
How do I bind the user login authentication to the authentication for the RESTful web services? In other words, I want to make it so that the RESTful web services can only be accessed once a user has logged in. That way, the Angular.js and Ember.js libraries can access these RESTful web services securely from my user pages only without anyone else being able to directly call them.
I read on one other post that Spring Security was never meant to be used with a full Ajax framework, is that true? I hope this is not the case. I'd imagine that this type of thing must be pretty common now as there are so many AJAX client side frameworks that work based off accessing a JSON/RESTful API.
It is certainly not true that Spring Security was never meant to be or cannot be used in AJAX applications. I have two applications in production that use Spring Security as well as AJAX and more applications under development with the same mix.
If you are going to use EmberJS or AngularJS in an existing web application with Spring Security working, you should not face too many problems if you simply add the JavaScript library to your project. This is because once your users are authenticated, any normal HTTP requests will be treated as authenticated as well because the browser will ensure that session information is passed back and forth using cookies or URL parameters, as appropriate. You can see one of my working examples on Github for Spring Security and EmberJS integration.
The only thing you may need to worry about is CSRF tokens for form submissions using AJAX. The latest Spring Security documentation has a small section dedicated to this so you should not face too many problems getting that to work either. However, I would like to clarify that this particular issue is not specific to Spring Security. CSRF protection typically involves including a secure, randomly generated token with every HTTP POST request. The challenge arises from making existing JavaScript libraries aware of this token and how it should be included in HTTP POST requests. This would be a challenge in any application, not just those using Spring Security.
If however you will work with stateless clients, such as, mobile devices, you will be unable to rely on the default Spring Security mechanism of storing the user credentials in HTTP Session because HTTP requests will not have information to tie them to a session. This again is not specific to a Spring or Spring Security application because the constraint is imposed by the nature of the client and the client-server communication rather than any server-side technology. In such circumstances you will need to pass some authentication token in the HTTP headers for the application to maintain security state on the server side. I have a working example for this as well. If you need more details, there are articles on the web that explain how to do something like this with Spring Security.