@Override
  protected void doFilterInternal(
      HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {
    CsrfToken token = (CsrfToken) request.getAttribute("_csrf");

    // Spring Security will allow the Token to be included in this header name
    response.setHeader("X-CSRF-HEADER", token.getHeaderName());

    // Spring Security will allow the token to be included in this parameter name
    response.setHeader("X-CSRF-PARAM", token.getParameterName());

    // this is the value of the token to be included as either a header or an HTTP parameter
    response.setHeader("X-CSRF-TOKEN", token.getToken());

    // Cookie Base Approach for CSRF token

    //        String pCookieName = "XSRF-TOKEN";
    //
    //        try {
    //            Cookie cookie = new Cookie(pCookieName, token.getToken());
    //            URL url = new URL(request.getRequestURL().toString());
    //            cookie.setDomain(url.getHost());
    //            cookie.setComment("user is not eligible to take the survey this time");
    //            cookie.setMaxAge(-1);
    //            response.addCookie(cookie);
    //        } catch (MalformedURLException e) {
    //            e.printStackTrace();
    //        }

    filterChain.doFilter(request, response);
  }
示例#2
0
  @RequestMapping(value = "login", method = RequestMethod.POST)
  ResponseEntity<PageDto> login(
      @Validated @RequestBody LoginDto loginDto,
      HttpServletRequest request,
      HttpServletResponse response) {

    PageDto pageDto = userService.login(loginDto);

    if (pageDto.getHeaderDto().isAuth()) {
      CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
      if (csrf != null) {
        Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
        String token = csrf.getToken();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if ((cookie == null || token != null && !token.equals(cookie.getValue()))
            && (authentication != null && authentication.isAuthenticated())) {
          cookie = new Cookie("XSRF-TOKEN", token);
          cookie.setPath("/");
          response.addCookie(cookie);
        }
      }
      return new ResponseEntity<>(pageDto, null, HttpStatus.OK);
    } else {
      return new ResponseEntity<>(pageDto, null, HttpStatus.UNAUTHORIZED);
    }
  }
    /*
     * (non-Javadoc)
     *
     * @see
     * org.springframework.test.web.servlet.request.RequestPostProcessor
     * #postProcessRequest
     * (org.springframework.mock.web.MockHttpServletRequest)
     */
    public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {

      CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request);
      CsrfToken token = repository.generateToken(request);
      repository.saveToken(token, request, new MockHttpServletResponse());
      String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token.getToken();
      if (asHeader) {
        request.addHeader(token.getHeaderName(), tokenValue);
      } else {
        request.setParameter(token.getParameterName(), tokenValue);
      }
      return request;
    }
  @Test
  public void defaults() throws Exception {
    MockHttpServletRequest request = formLogin().buildRequest(this.servletContext);
    CsrfToken token =
        (CsrfToken)
            request.getAttribute(CsrfRequestPostProcessor.TestCsrfTokenRepository.ATTR_NAME);

    assertThat(request.getParameter("username")).isEqualTo("user");
    assertThat(request.getParameter("password")).isEqualTo("password");
    assertThat(request.getMethod()).isEqualTo("POST");
    assertThat(request.getParameter(token.getParameterName())).isEqualTo(token.getToken());
    assertThat(request.getRequestURI()).isEqualTo("/login");
    assertThat(request.getParameter("_csrf")).isNotNull();
  }
示例#5
0
 @Override
 protected void doFilterInternal(
     HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
     throws ServletException, IOException {
   CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
   if (csrf != null) {
     Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
     String token = csrf.getToken();
     if (cookie == null || token != null && !token.equals(cookie.getValue())) {
       cookie = new Cookie("XSRF-TOKEN", token);
       cookie.setPath("/");
       response.addCookie(cookie);
     }
   }
   filterChain.doFilter(request, response);
 }
  @Override
  public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
    CookieSaver saver = new CookieSaver(getCookieConfig());
    if (token == null) {
      saver.set(request, response, null);
      return;
    }

    saver.set(request, response, token.getToken());
  }
  @Override
  protected void doFilterInternal(
      HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {
    // Spring put the CSRF token in session attribute "_csrf"
    CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf");

    // Send the cookie only if the token has changed
    String actualToken = request.getHeader("X-CSRF-TOKEN");
    if (actualToken == null || !actualToken.equals(csrfToken.getToken())) {
      // Session cookie that will be used by AngularJS
      String pCookieName = "CSRF-TOKEN";
      Cookie cookie = new Cookie(pCookieName, csrfToken.getToken());
      cookie.setMaxAge(-1);
      cookie.setHttpOnly(false);
      cookie.setPath("/");
      response.addCookie(cookie);
    }
    filterChain.doFilter(request, response);
  }
  @Override
  protected void doFilterInternal(
      HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {
    CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
    // final HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
    // tokenRepository.setHeaderName("XSRF-TOKEN");

    // Spring Security will allow the Token to be included in this header name
    // response.setHeader("X-XSRF-HEADER", token.getHeaderName());

    // Spring Security will allow the token to be included in this parameter name
    // response.setHeader("X-XSRF-PARAM", token.getParameterName());

    // this is the value of the token to be included as either a header or an HTTP parameter
    response.setHeader("XSRF-TOKEN", token.getToken());
    Cookie cookie = new Cookie("XSRF_TOKEN", "C4186A42B1E72E179B25DA27865DC0E4");
    response.addCookie(cookie);

    filterChain.doFilter(request, response);
  }
示例#9
0
  @Override
  protected void doFilterInternal(
      HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {

    final CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());

    if (csrf != null) {

      Cookie cookie = WebUtils.getCookie(request, CookieBlog.CSRF_NAME);

      final String token = csrf.getToken();
      if ((cookie == null) || ((token != null) && (token.equals(cookie.getValue()) == false))) {

        cookie = new Cookie(CookieBlog.CSRF_NAME, token);
        cookie.setPath(COOKIE_PATH);
        response.addCookie(cookie);
      }
    }

    filterChain.doFilter(request, response);
  }