Shulou(Shulou.com)06/03 Report--

This article mainly introduces how to achieve CSRF cross-site attack defense under the SpringSecurity framework, which has a certain reference value. Interested friends can refer to it. I hope you can learn a lot after reading this article.

What is CSRF

When learning Spring Security, many friends will confuse CORS (cross-site resource sharing) and CSRF (cross-site request forgery), thinking that the two are the same thing. As a matter of fact, it is not. Let's first explain:

CORS (cross-site resource sharing) is to partially break the restrictions of the same origin policy, so that under certain rules, HTTP requests can break through browser restrictions and achieve cross-site access.

CSRF is a kind of network attack, and it can also be said to be a kind of security loophole, which widely exists in web development.

When we use Spring Security, this CSRF vulnerability is defended by default. However, you will find that in the case of cross-domain requests, our HTTP request methods such as POST, DELETE, PUT and so on are invalid. So in the author's previous article, we used http.csrf.disable () to temporarily turn off the defense function of CSRF, but this is not safe, so what is the right thing to do? This is what this article needs to introduce to you.

Second, the attack mode of CSRF

Common CSRF attacks are as follows:

You log in to site A, and the attacker sends messages to your site An account, falsifies embedded pages, with links to dangerous actions.

When you click on the attacker's link while you are logged in, the link operates on your site A's account.

This action is initiated by you in site A, and it is also a HTTP link request for site A, which cannot be restricted by the same origin policy.

Third, how to defend against CSRF attacks

Add a token to each connection request in the system, the token is random, and the server validates the token. When saboteurs leave messages or forge embedded pages, they can't predict what the value of CSRF token is, so when the server verifies CSRF token, it can't pass. So this method is reliable to some extent.

But if your computer is poisoned and the network information is hijacked, it is still not safe to use token. So there is no absolute safety, the road is high once vice rises ten. As developers, we do what we should do.

Jump hint: when the user accidentally clicks on the third-party connection, the qualified application should remind the user of the related risks! It is up to the user to confirm whether he or she really wants to jump or perform a third-party connection, or simply does not allow untrusted connections to exist in places such as the message area.

IV. CSRF token attack Protection of Spring Security

First of all, we need to enable the protection feature. After the user logs in, the generated CSRF Token is saved in the cookies.

Public class WebSecurityConfig extends WebSecurityConfigurerAdapter {@ Override protected void configure (HttpSecurity http) throws Exception {http.csrf () .csrfTokenRepository (CookieCsrfTokenRepository.withHttpOnlyFalse ()) .originingAntMatching ("/ authentication"); .and ().}}

Use CookieCsrfTokenRepository to generate CSRF Token and put it into cookie, and set the HttpOnly=false of cookie to allow js to read the cookie.

Use ignoringAntMatchers to open access paths that do not require CSRF protection, such as login authorization.

At this point, we have generated the CSRF token and saved it in the cookies. All HTTP requests sent by the browser to the server must bring the CSRF token, and the server can only respond correctly if the verification is passed. This verification process does not require us to write our own code to implement, Spring Security will automatically handle it. But we need to focus on the front-end code, how to correctly carry CSRF token.

5. How to carry CSRF Token in front-end request

You can use the following method in the thymeleaf template to carry CSRF Token when sending a HTTP request. If it is a front-end separation application, or other template engine, get the CSRF Toekn from cookies as appropriate.

5.1. Carry CSRF token in Header

Var headers = {}; headers ['XmurCSRF color token'] = "${_ csrf.token}"; $.ajax ({headers: headers,})

5.2. Submit directly as a parameter.

$.ajax ({data: {"_ csrf": "${_ csrf.token}"}})

Hidden fields of the 5.3.form form

Thank you for reading this article carefully. I hope the article "how to achieve CSRF cross-site attack defense under the framework of SpringSecurity" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.