Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revamp CSRF #15

Open
kakawait opened this issue Nov 5, 2016 · 4 comments
Open

Revamp CSRF #15

kakawait opened this issue Nov 5, 2016 · 4 comments
Labels
enhancement
Milestone
0.1.0

Comments

@kakawait
Copy link
Owner

kakawait commented Nov 5, 2016

No description provided.

@kakawait kakawait modified the milestone: 0.0.5 Nov 8, 2016
@kakawait kakawait modified the milestones: 0.0.5, 0.1.0 Sep 21, 2017
@HJK181
Copy link

HJK181 commented Jan 5, 2018

Are you planning to work on this issue?

@kakawait
Copy link
Owner Author

kakawait commented Jan 5, 2018

@HJK181 Not the top priority task (unlike Spring boot 2 support)

What is exactly your problem with CSRF today?

@HJK181
Copy link

HJK181 commented Jan 5, 2018

I have tried to stick to your project, great work btw, and have a problem getting XSRF to work. Or I'm missing something else.

Basicalliy everything works. except the logout which I'm trying to achieve be sending a POST to /logout from my UI application, but I'm getting a 403 error.

My security configuration loogs like this:

@Override
	public void configure(HttpSecurity http) throws Exception {
		// @formatter:off
		http
			.logout()
			.permitAll()
			.logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
		.and()
			.authorizeRequests()
			.antMatchers("/uaa/**", "/login", "/*/bower_components/**/*", "/*/src/*", "/*/images/**/*", "/management/view3/**", "/*/view404", "/*/view403").permitAll()
		.and()
			.authorizeRequests()
			.antMatchers("/management/**/*").hasAnyRole("USER", "ADMIN")
			.antMatchers("/admin/**/*").hasRole("ADMIN")
		.and()
			.authorizeRequests().anyRequest().authenticated()
		.and()
			.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher()).csrfTokenRepository(csrfTokenRepository())
		.and()
			.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
		// @formatter:on
	}

Everything else is taken from your example(master branch).

Before adding all your configurations regarding csrfRequestMatcher, csrfHeaderFilter and csrfTokenRepository everything worked on my local machine by running all project from STS, with this configuration:

@Override
	public void configure(HttpSecurity http) throws Exception {
		// @formatter:off
		http
			.logout()
			.permitAll()
			.logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
		.and()
			.authorizeRequests()
			.antMatchers("/uaa/**", "/login", "/*/bower_components/**/*", "/*/src/*", "/*/images/**/*", "/management/view3/**", "/*/view404", "/*/view403").permitAll()
		.and()
			.authorizeRequests()
			.antMatchers("/management/**/*").hasAnyRole("USER", "ADMIN")
			.antMatchers("/admin/**/*").hasRole("ADMIN")
		.and()
			.authorizeRequests().anyRequest().authenticated()
		.and()
			.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
		// @formatter:on
	}

But when I ran it with my old configuration via docker-compose the login is broken and zuul does not manage to redirect me after login. I'm getting redirected to /uaa instead of the previous route. I think it's a problem with sessions and or XSRF. So I added all your methods and changed the HttpSecurity to the one above. No login works, but I'm not able to logout.

Thanks in advance for your time.

@kakawait
Copy link
Owner Author

@HJK181 Sorry I'm a bit confused, could you clarify which is the old configuration? The first one or the second? Btw do you have a repo where I can checkout your sample with your change then I will be able to try by myself and try to find a solution together?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
0.1.0
Development

No branches or pull requests
2 participants
@kakawait @HJK181