Security
Spring Security can protect applications from CSRF attacks. To use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
Configure CSRF Protection
Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below.
<http>
<!-- ... -->
<csrf disabled="true"/>
</http>
Form Submissions
The last step is to ensure that you include the CSRF token in all PATCH, POST, PUT, and DELETE methods. One way to approach this is to use the _csrf request attribute to obtain the current CsrfToken. An example of doing this with a HTML and Angularjs is shown below:
<!-- SPRING SECURITY SETUP -->
<bean id="passwordEncoder" class="security.SHA1PasswordEncoder">
</bean>
<bean id="csrfHeaderFilter" class="security.CsrfHeaderFilter">
</bean>
<bean id="csrfTokenRepository"
class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<property name="headerName" value="X-XSRF-TOKEN" />
</bean>
<bean id="entryPoint"
class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
<constructor-arg>
<map>
<entry key="hasHeader('X-Requested-With','XMLHttpRequest')"
value-ref="ajaxEntyPoint" />
</map>
</constructor-arg>
<property name="defaultEntryPoint" ref="defaultEntryPoint" />
</bean>
<bean id="ajaxEntyPoint"
class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
<constructor-arg name="httpStatus"
value="#{T(org.springframework.http.HttpStatus).UNAUTHORIZED}" />
</bean>
<bean id="defaultEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="Protected API" />
</bean>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider
user-service-ref="userDetailService">
<security:password-encoder ref="passwordEncoder"></security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<security:global-method-security
secured-annotations="enabled" pre-post-annotations="enabled" />
<security:http realm="Protected API" use-expressions="true"
auto-config="true" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/index.html"
access="permitAll" />
<security:intercept-url pattern="/login"
access="permitAll" />
<security:intercept-url pattern="/logout"
access="permitAll" />
<security:intercept-url pattern="/rest/v1.0/**"
access="isAuthenticated()" />
<security:csrf token-repository-ref="csrfTokenRepository" />
<security:custom-filter ref="csrfHeaderFilter"
after="CSRF_FILTER" />
<security:http-basic entry-point-ref="entryPoint" />
<security:logout />
</security:http>
http authentication-manager-ref is used to define the authentication manager that will be used for authenticating the user. Currently it’s configured to use the JDBC based authentication.
intercept-url is used to define the URL pattern and authorities of the user who can access this page. For example, we have defined that URI “/rest/v1.0/**” can be accessible only by users having access.
The corresponding AuthenticationEntryPoint can be set using the entry-point-ref attribute on the