Login/Register
SpringBoot - Angular 5 - CSRF
Asked Answered
Solved spring-bootcsrfcsrf-protectionangular5
C

1

6

Iam lost now and need some help.

I have a

  • SpringBoot Server with SpringSecurtiy 4.3.
  • Angular 5 App

And want to enable CSRF protection since it should be enabled on both by default (says the docs) :Its NOT!

On SpringBoot I need to add these security configs:

http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

On Angular I need to add these Modules:

imports: [
    ...,
    HttpClientModule,
    HttpClientXsrfModule, //(!)
...

Bottom line the server send the XRSF-TOKEN in each response.

-But a diffrent on each one. Is that correct? I expected to be the same on a client session.

-Main problem here is that Angular5 still didnt use the XRSF-TOKEN in its post calls (e.g.). It dont set a X-XSRF-TOKEN in its requests.

What am I doing wrong or missing?

Caterpillar answered 16/11, 2017 at 16:25 Comment(1)
Another solution can be found here.Cacie
N
1

I had this same problem and I think it is a regression due to version 5 of angular.

Until this is fixed you can add your own 'X-XSRF-TOKEN' header as I did. 

 constructor(private http: HttpClient, private tokenExtractor: HttpXsrfTokenExtractor) {
    }

then extract manually a token

const token = this.tokenExtractor.getToken() as string;

and add it to the header

this.http.post<any>(url, body, {headers: new HttpHeaders().set('X-XSRF-TOKEN', token)})

Houssem

Nail answered 18/12, 2017 at 13:5 Comment(2)
Thanks, that realy helps. :) No need to deactivate it anymore.Caterpillar
@Nail I am trying your code but getting null in const token . I am using Angular 6..Any other solution for same?Horney

© 2022 - 2024 — McMap. All rights reserved.