What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?

by

CSRF stands for Cross Site Request Forgery

It is one kind of token that is sent with the request to prevent the attacks. In order to use the Spring Security CSRF protection, we’ll first need to make sure we use the proper HTTP methods for anything that modifies the state (PATCH, POST, PUT, and DELETE – not GET).

CSRF protection with Spring CookieCsrfTokenRepository works as follows:

  • The client makes a GET request to Server (Spring Boot Backend), e.g. request for the main page
  • Spring sends the response for GET request along with Set-cookie header which contains securely generated XSRF Token
  • The browser sets the cookie with XSRF Token
  • While sending a state-changing request (e.g. POST) the client (might be angular) copies the cookie value to the HTTP request header
  • The request is sent with both header and cookie (browser attaches the cookie automatically)
  • Spring compares the header and the cookie values, if they are the same the request is accepted, otherwise, 403 is returned to the client

The method withHttpOnlyFalse allows angular to read XSRF cookie. Make sure that Angular makes XHR request with withCreddentials flag set to true.

Code from CookieCsrfTokenRepository

@Override
public CsrfToken generateToken(HttpServletRequest request) {
    return new DefaultCsrfToken(this.headerName, this.parameterName,
            createNewToken());
}

@Override
public void saveToken(CsrfToken token, HttpServletRequest request,
        HttpServletResponse response) {
    String tokenValue = token == null ? "" : token.getToken();
    Cookie cookie = new Cookie(this.cookieName, tokenValue);
    cookie.setSecure(request.isSecure());
    if (this.cookiePath != null && !this.cookiePath.isEmpty()) {
            cookie.setPath(this.cookiePath);
    } else {
            cookie.setPath(this.getRequestContext(request));
    }
    if (token == null) {
        cookie.setMaxAge(0);
    }
    else {
        cookie.setMaxAge(-1);
    }
    cookie.setHttpOnly(cookieHttpOnly);
    if (this.cookieDomain != null && !this.cookieDomain.isEmpty()) {
        cookie.setDomain(this.cookieDomain);
    }

    response.addCookie(cookie);
}

@Override
public CsrfToken loadToken(HttpServletRequest request) {
    Cookie cookie = WebUtils.getCookie(request, this.cookieName);
    if (cookie == null) {
        return null;
    }
    String token = cookie.getValue();
    if (!StringUtils.hasLength(token)) {
        return null;
    }
    return new DefaultCsrfToken(this.headerName, this.parameterName, token);
}


public static CookieCsrfTokenRepository withHttpOnlyFalse() {
    CookieCsrfTokenRepository result = new CookieCsrfTokenRepository();
    result.setCookieHttpOnly(false);
    return result;
}

You may explore the methods here

More Related Contents:

  1. Filter invoke twice when register as Spring bean
  2. Spring security CORS Filter
  3. How to disable ‘X-Frame-Options’ response header in Spring Security?
  4. How to enable HTTP response caching in Spring Boot
  5. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  6. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  7. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  8. Securing Spring Boot API with API key and secret
  9. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  10. How do I disable resolving login parameters passed as url parameters / from the url
  11. How do I add method based security to a Spring Boot project?
  12. disabling spring security in spring boot app [duplicate]
  13. Disabling a filter for only a few paths
  14. Spring Boot and multiple external configuration files
  15. How to get active user’s UserDetails
  16. Spring Boot – inject map from application.yml
  17. Java Spring Boot: How to map my app root (“/”) to index.html?
  18. Read file from resources folder in Spring Boot
  19. Filter order in spring-boot
  20. No serializer found for class org.hibernate.proxy.pojo.bytebuddy.ByteBuddyInterceptor
  21. Spring Boot: Unable to start EmbeddedWebApplicationContext due to missing EmbeddedServletContainerFactory bean
  22. Websocket Authentication and Authorization in Spring
  23. Hot swapping in Spring Boot
  24. java.lang.IllegalArgumentException: No converter found for return value of type
  25. How to apply Spring Security filter only on secured endpoints?
  26. Configuration using annotation @SpringBootApplication
  27. Spring security’s SecurityContextHolder: session or request bound?
  28. Spring-Boot How to properly inject javax.validation.Validator
  29. Missing CrudRepository#findOne method
  30. How to reload authorities on user update with Spring Security

Leave a Comment