1

I couldn't solve this issue.

I try to athentication login logout example here. Login is work properly but when I try to logout, browser gives NetworkError : 403 forbidden localhost:8080/logout is forbidden.

In my opinion I should add token header every request from ui side.But I don't know and find how can I do that?

here is the browser developer tools message :

POST 403 {"timestamp":1501570024381,"status":403,"error":"Forbidden","message":"Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/helpdesk/logout"}

here is my angular logout function:

 $scope.logout = function() { $http.post('logout',{}).success(function() { $rootScope.authenticated = false; $location.path("/home"); }).error(function(data) { $rootScope.authenticated = false; }); }

here is my SpringSecurityConfig configure method:

 @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic().and() .authorizeRequests() .antMatchers("/index.html","/pages/**","/","/webjars/**") .permitAll() .anyRequest() .authenticated().and().logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).permitAll() .logoutSuccessHandler(logoutSuccess) .deleteCookies("JSESSIONID").invalidateHttpSession(false) .and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class); }

How can I solve this? How can I add token header to all request? Could you help me please?

Improve this question
8
  • You don't need to do this explicitly $rootScope.authenticated = false; or $location.path("/home");. Your Configurtion should be sufficient to logout the user, you should be able to perform simple post request to logout. However, it would be helpful to know SpringSec version you are using. You might want to include additional headers to your post request. Commented Jul 31, 2017 at 15:02
  • I have to set $rootscope.authenticated = false because some view hidden or display state of this param. I"ll try this solution if it'll work I tey different way for this. Thank you. Commented Jul 31, 2017 at 16:34
  • I tried your solution but it didn't work. I editted the question. Commented Aug 1, 2017 at 6:48
  • Btw, I checked your link to the tutorial you are following. At first glance they are describing how to handle CSRF tokens. My answer might be useless Commented Aug 1, 2017 at 11:47
  • You need to send the csrf token in your call to the spring controller because thats how Spring security works. Based on these csrf tokens only the calls are verified and authorized. Commented Aug 1, 2017 at 13:17

2 Answers 2

Reset to default
1

I solved my issue:

Firstly I find this sample when I research on goole.

After that I applied same interceptor my app like this : 

app.factory('CsrfTokenInterceptorService', ['$q', function CsrfTokenInterceptorService($q) { // Private constants. var CSRF_TOKEN_HEADER = 'X-CSRF-TOKEN', HTTP_TYPES_TO_ADD_TOKEN = ['DELETE', 'POST', 'PUT']; // Private properties. var token; // Public interface. var service = { response: onSuccess, responseError: onFailure, request: onRequest, }; return service; // Private functions. function onFailure(response) { if (response.status === 403) { console.log('Request forbidden. Ensure CSRF token is sent for non-idempotent requests.'); } return $q.reject(response); } function onRequest(config) { if (HTTP_TYPES_TO_ADD_TOKEN.indexOf(config.method.toUpperCase()) !== -1) { config.headers[CSRF_TOKEN_HEADER] = token; } return config; } function onSuccess(response) { var newToken = response.headers(CSRF_TOKEN_HEADER); if (newToken) { token = newToken; } return response; } }]);

and added to app.config method this :

$httpProvider.defaults.xsrfHeaderName = 'X-CSRF-TOKEN'; $httpProvider.interceptors.push('CsrfTokenInterceptorService');

But now I have an another problem. Browser start to open custom authentication popup. I have to solve this.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

CSRF token would be checked for all the postrequests by SpringSec. Thus, you can either include it everytime, or disable it. XML config would look something like this: 

<http ...... > <!-- ... --> <csrf disabled="true"/> </http>

Or simply add the following in your config: 

 @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .httpBasic().and() .authorizeRequests() .antMatchers("/index.html","/pages/**","/","/webjars/**") .permitAll() .anyRequest() .authenticated().and().logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).permitAll() .logoutSuccessHandler(logoutSuccess) .deleteCookies("JSESSIONID").invalidateHttpSession(false) .and() .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class); }

This way you don't need to care about its inclusion. For proper handling of CSRF Tokens take a look at Spring Security’s Cross Site Request Forgery (CSRF) support..

P.S. let me know in case it doesn't help or at least point you to the right direction.

Improve this answer

3 Comments

thank you for your interesting. Well, Do we have to disable csrf? I mean we have to secure sessions on ours application am I right? If I got correctly, I send csrf tokens as header all request from angular js. Do you know how can I do that?
Unfortunately I am not familiar with angular, but I would guess that the link to Spring Sec support and tutorial that you are following should give you some insight. Best of luck :)
please check stackoverflow.com/a/45455423/5707108 this.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.