cas-security-spring-boot-starter icon indicating copy to clipboard operation
cas-security-spring-boot-starter copied to clipboard
verified publisher icon kakawait

Enabeling csrf

Open ankit-test-repo opened this issue 7 years ago • 3 comments

Hi, I am having difficulties enabling csrf

I have added security.enable-csrf=true in properties file. However i think the line 191 in CasHttpSecurityConfigurer.java still gets triggered

Is there a different property that needs to be set ?

ankit-test-repo avatar Jun 28 '18 13:06 ankit-test-repo

By default application is CSRF protected. How do you confirm that CSRF is not enable for you? Because last time I tried I get CSRF by default

kakawait avatar Jul 02 '18 09:07 kakawait

Yea ...i thought so too. But when debugging a controller method i cant seem to find the csrf token. Neither does it appear in header when debugging on the browser.

Below is the code i am using on my controller. I tried with other token names but none worked.

WebUtils.getCookie(request, "XSRF-TOKEN").getValue();

any idea?

ankit-test-repo avatar Jul 03 '18 09:07 ankit-test-repo

@ankitwashere By default Spring security will not include your CSRF token on client side, you must include it or use CookieCsrfTokenRepository as described in doc https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-include-csrf-token

kakawait avatar Sep 02 '18 08:09 kakawait