Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to use security custom CSRF defense in springboot. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

If you look at the csrfFilter source code, you will first go to HttpSessionCsrfTokenRepository.loadToken to load CsrfToken, which is actually obtained from session.

Public CsrfToken loadToken (HttpServletRequest request) {HttpSession session = request.getSession (false); if (session = = null) {return null;} return (CsrfToken) session.getAttribute (this.sessionAttributeName);}

If it does not exist, a CsrfToken is created and placed in the session

Public void saveToken (CsrfToken token, HttpServletRequest request, HttpServletResponse response) {if (token = = null) {HttpSession session = request.getSession (false); if (session! = null) {session.removeAttribute (this.sessionAttributeName);}} else {HttpSession session = request.getSession (); session.setAttribute (this.sessionAttributeName, token);}}

After that, the token is taken from the request and compared with the token extracted from the session, so when csrf authentication is enabled here, these four requests do not verify the "GET", "HEAD", "TRACE" and "OPTIONS" of the csrf. Each time, you can either add the X-CSRF-TOKEN: CSRF value to the request header, or add the parameter _ csrf: CSRF value to the POST. Only in this way can you extract the comparison between the csrf and session in request.

String actualToken = request.getHeader (csrfToken.getHeaderName ()); if (actualToken = = null) {actualToken = request.getParameter (csrfToken.getParameterName ());} if (! csrfToken.getToken (). Equals (actualToken)) {if (this.logger.isDebugEnabled ()) {this.logger.debug ("Invalid CSRF token found for" + UrlUtils.buildFullRequestUrl (request)) } if (missingToken) {this.accessDeniedHandler.handle (request, response, new MissingCsrfTokenException (actualToken));} else {this.accessDeniedHandler.handle (request, response, new InvalidCsrfTokenException (csrfToken, actualToken));} return;}

If the csrf extracted from request is not equal to that from session, it will enter accessDeniedHandler.handle. This accessDeniedHandler is AccessDeniedHandlerImpl, and the method is as follows:

Public void handle (HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {if (! response.isCommitted ()) {if (this.errorPage! = null) {request.setAttribute ("SPRING_SECURITY_403_EXCEPTION", accessDeniedException); response.setStatus; RequestDispatcher dispatcher = request.getRequestDispatcher (this.errorPage); dispatcher.forward (request, response);} else {response.sendError (403, accessDeniedException.getMessage ()) }}}

If errorPage is set, it will be forwarded to this path within the server, and then it will log in through each filter of security, and finally log in successfully. This is not what I want, so I need to customize an accessDeniedHandler. The code is as follows, if it is not the csrf mismatch of the login request, all exit the current user, and the login user does not do the csrf check.

@ Componentpublic class CsrfAccessDeniedHandler implements AccessDeniedHandler {private SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler (); @ Autowired private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler; @ Override public void handle (HttpServletRequest request, HttpServletResponse response, AccessDeniedException e) throws IOException, ServletException {Authentication auth = SecurityContextHolder.getContext (). GetAuthentication (); logoutHandler.logout (request, response, auth); ajaxLogoutSuccessHandler.onLogoutSuccess (request, response, auth);}}

Then configure it in securityConfig

@ Overrideprotected void configure (HttpSecurity http) throws Exception {/ / allows iframe http.headers () .frameOptions () .sameOrigin (); / / login page does not do csrf check http.csrf () .ignoringAntMatchers ("/ login"); / / exception handling http.exceptionHandling (). AccessDeniedHandler (csrfAccessDeniedHandler)} after reading the above, do you have any further understanding of how to use security custom CSRF defense in springboot? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.