This article contains Spring Security CSRF Example for authentication using Spring Security. This article help you to solve Cross Site Request Forgery (CSRF) problem using spring security. As of Spring Security 4.0, CSRF protection is enabled by default.
Spring Security csrf example
Table of Contents
Dependency
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.javadeveloperzone</groupId>
<artifactId>spring-security-java-configuration</artifactId>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<name>spring-security-java-configuration</name>
<properties>
<spring.version>4.3.1.RELEASE</spring.version>
<spring.security.version>4.2.0.RELEASE</spring.security.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
</dependencies>
<build>
<finalName>spring-security-java-configuration</finalName>
<plugins>
<plugin>
<artifactId>maven-war-plugin</artifactId>
<version>2.4</version>
<configuration>
<failOnMissingWebXml>false</failOnMissingWebXml>
</configuration>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
Configuration:
WebConfigs.java
package com.javadeveloperzone.configs;
import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;
/**
* Created by Subhash Lamba on 19-01-2017.
*/
public class WebConfigs extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[]{SpringWebConfig.class};
}
@Override
protected Class<?>[] getServletConfigClasses() {
return new Class[]{SpringWebConfig.class};
}
@Override
protected String[] getServletMappings() {
return new String[]{"/"};
}
}
SpringWebConfig.java
package com.javadeveloperzone.configs;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.view.InternalResourceViewResolver;
import org.springframework.web.servlet.view.JstlView;
/**
* Created by JavaDeveloperZone on 19-01-2017.
*/
@EnableWebMvc
@Configuration
@ComponentScan({"com.javadeveloperzone.*"})
@Import({ SpringSecurityWebConfig.class })
public class SpringWebConfig extends WebMvcConfigurerAdapter {
@Bean
public InternalResourceViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/WEB-INF/pages/");
viewResolver.setSuffix(".jsp");
return viewResolver;
}
}
SpringSecuirtyWebConfig.java
package com.javadeveloperzone.configs;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/**
* Created by JavaDeveloperZone on 18-03-2017.
*/
@Configuration
@EnableWebSecurity
public class SpringSecurityWebConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("javadeveloperzone").password("javadeveloperzone").roles("USER");
auth.inMemoryAuthentication().withUser("javadeveloperzone1").password("javadeveloperzone1").roles("ADMIN");
auth.inMemoryAuthentication().withUser("javadeveloperzone2").password("javadeveloperzone2").roles("CLIENT");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login").defaultSuccessUrl("/admin/home")
.permitAll()
.and()
.authorizeRequests()
.anyRequest().authenticated();
http.logout().logoutSuccessUrl("/logoutSuccess").permitAll();
}
}
SecurityWebApplicationInitializer.java
package com.javadeveloperzone.configs;
import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
/**
* Created by Java Developer Zone on 18-03-2017.
*/
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
}
JSP Pages:
index.jsp
Logging In
In order to protect against forging log in requests the log in form should be protected against CSRF attacks too. Since the CsrfToken is stored in HttpSession, this means an HttpSession will be created as soon as CsrfToken token attribute is accessed. While this sounds bad in a RESTful / stateless architecture the reality is that state is necessary to implement practical security. Without state, we have nothing we can do if a token is compromised. Practically speaking, the CSRF token is quite small in size and should have a negligible impact on our architecture.
<%--
Created by IntelliJ IDEA.
User: Java Developer Zone
Date: 18-03-2017
Time: 07:34
To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Spring Security CSRF Example</title>
</head>
<body>
<h2>Spring Security CSRF Example Demo Login page </h2>
<form name='f' action='/login' method='POST'>
User<input type='text' name='username' value=''>
Password:<input type='password' name='password'/>
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/> <%--CSRF hidden field--%>
<input name="submit" type="submit" value="Login"/>
</form>
</body>
</html>
home.jsp
Logging Out
Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.
<%--
Created by IntelliJ IDEA.
User: Lenovo
Date: 18-03-2017
Time: 11:38
To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Spring Security CSRF Example</title>
</head>
<body>
<h2>String Security CSRF Example Home Page</h2>
${message}
<form name='f' action='/logout' method='POST'>
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/> <%--CSRF hidden field--%>
<input name="submit" type="submit" value="Login"/>
</form>
</body>
</html>
logoutsuccess.jsp
<%--
Created by IntelliJ IDEA.
User: Lenovo
Date: 10-06-2017
Time: 11:58
To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Spring Security CSRF Example</title>
</head>
<body>
<h2>Spring Security CSRF Example logout success page</h2>
<h2>Logout Success</h2>
</body>
</html>
Output:
Output:
Login Page
Spring Security csrf example
Home Page
Spring Security csrf home page example
Logout Success Page
Spring Security csrf example logout success
References:
https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/csrf.html
Was this post helpful?
Let us know if you liked the post. That’s the only way we can improve.
1 comment. Leave new
Hello,
Your article is very informative.
If I need to Exclude some API’s out of CSRF Token authentication, How can I do that?
If the application consists of some Pure REST API’s for Mobile communication