In spring boot security, we will see how to configure CSRF – Cross-Site Request Forgery attack in spring Boot Security step by step. Cross-Site Request Forgery attack is an attack executes unwanted calls on a web application without intervention of the end user.The end user is forced to execute these calls that corrupt the users data in the database or show unwanted information in the browser.
What is CSRF attack?
CSRF – Cross-Site Request Forgery attack is an attack that forces the end user to make an unwanted calls to the web application servers where the end user is already authenticated. When a user is authenticated with a website, the session information is created and stored in both server and browser. If any call is made in the browser to the website, all calls will be executed without any validation. This is called CSRF attack.
Step 1 – Spring Boot Security taglibs
In the spring boot application, add spring boot security and spring boot security tag library dependency in the pom.xml file. These dependency adds the spring boot security module and spring boot security tag libraries.
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
</dependency>Step 2 – Add Spring boot CSRF token in Jsp
The CSRF token must be included in all the post forms in the jsp or template files. If it is a json calls, add the token in the header. The following example shows how to add CSRF toke in jsp file
login.jsp
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<center>
<h1>Welcome to Spring Boot Security</h1>
<h2>Login Page</h2>
<form method="POST" action="/login">
User Name : <input type="text" name="username" value="user"/><br><br>
Password : <input type="password" name="password" value="password"/><br><br>
<sec:csrfInput />
<input type="submit" name="submit"/>
</form>
</center>
Step 3 – Remove the CSRF disable code
If any csrf disable code added in the spring boot security configuration, remove all the csrf disable code. The example below shows the commented csrf disable code.
package com.yawintutor;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SpringBootSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("{noop}password").roles("USER");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/**").hasAnyRole("USER")
.and()
.formLogin().loginPage("/login").permitAll();
//http.csrf().disable();
}
}