Introduction to SpringSecurity’s method of handling CSRF attacks

This article brings you an example explanation of Django's FBV and CBV. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

CSRF Vulnerability Status

CSRF (Cross-site request forgery) cross-site request forgery, also known as One Click Attack or Session Riding, usually abbreviated as CSRF or XSRF is a malicious use of a website. Although it sounds like cross-site scripting (XSS), it is very different from XSS, which exploits trusted users within a site, and CSRF, which exploits trusted websites by masquerading as requests from trusted users. Compared with XSS attacks, CSRF attacks tend to be less popular (so resources to prevent them are also quite scarce) and difficult to prevent, so they are considered more dangerous than XSS.
CSRF is an obfuscated proxy attack that relies on web browsers.

POM dependency

<!-- 模板引擎 freemarker -->
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-freemarker</artifactId>
</dependency>
<!-- Security (只使用CSRF部分) -->
<dependency>
  <groupId>org.springframework.security</groupId>
  <artifactId>spring-security-web</artifactId>
</dependency>

Configuration filter

@SpringBootApplication
public class Application {

  public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
  }
  
  /**
   * 配置CSRF过滤器
   *
   * @return {@link org.springframework.boot.web.servlet.FilterRegistrationBean}
   */
  @Bean
  public FilterRegistrationBean<CsrfFilter> csrfFilter() {
    FilterRegistrationBean<CsrfFilter> registration = new FilterRegistrationBean<>();
    registration.setFilter(new CsrfFilter(new HttpSessionCsrfTokenRepository()));
    registration.addUrlPatterns("/*");
    registration.setName("csrfFilter");
    return registration;
  }
}

Add CSRF hidden fields in the form request

<input name="${(_csrf.parameterName)!}" value="${(_csrf.token)!}" type="hidden" />

Add header in AJAX request

xhr.setRequestHeader("${_csrf.headerName}", "${_csrf.token}");

jQuery’s Ajax global configuration

jQuery.ajaxSetup({
  "beforeSend": function (request) {
    request.setRequestHeader("${_csrf.headerName}", "${_csrf.token}");
  }
});

The above is the detailed content of Introduction to SpringSecurity’s method of handling CSRF attacks. For more information, please follow other related articles on the PHP Chinese website!