JCH
Java Community | Help. Code. Learn.6mo ago
Milk Packet

Need help setting up CSRF on spring backend with a react frontend

I was just going through the spring docs to setup csrf protection with a SPA (react) frontend and found this code here that they suggested I use, 
@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            // ...
            .csrf((csrf) -> csrf
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())   
                .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())            
            )
            .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class); 
        return http.build();
    }
}
@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            // ...
            .csrf((csrf) -> csrf
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())   
                .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())            
            )
            .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class); 
        return http.build();
    }
}
7 Replies
JavaBot
JavaBot6mo ago
This post has been reserved for your question.
Hey @Milk Packet! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
Milk Packet
Milk PacketOP6mo ago
One question I have here is regarding this line .addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class); which adds the filter after BasicAuthenticationFilter.class. But, I have implemented a custom UsernamePasswordAuthenticationFilter since i was using a react frontend that sends json data to backend like so, https://pastecord.com/afugurebyr My question is, instead of adding the filter after BasicAuthenticationFilter, do I add it after my customUsernamePasswordAuthFilter? Here's the link to the docs im referring to btw: https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-integration-javascript
Peter Rader
Peter Rader6mo ago
What do you mean with SPA, do you mean a single-page-application?
JavaBot
JavaBot6mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
Milk Packet
Milk PacketOP6mo ago
yup. my react frontend
Peter Rader
Peter Rader6mo ago
JavaBot
JavaBot6mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
Want results from more Discord servers?
Add your server