How to set CSRF Token to different context path

Question

Our Angular based webapp is integrated with enterprise portal which runs on the different domain and context path. I am using Spring Security based CSRF token for validating the incoming requests. The app is perfectly working in local but when I integrate it with portal all the post calls are failing 403 because Angular is not able to read XSRF-Token and set the X-XSRF-Token in the request headers to the API calls. Upon investigation, I found the context paths of portal and our app are different and hence spring is setting the XSRF-Token with Path, Expires and domain as Null. Is there any way I can set XSRF-Token to a specific cookie path when spring creates it?

Note: I have an alternative solution to create filters and read the cookies from request headers and drop a new cookie on the browser with the path I want. I am looking for a solution at configuration level.

score 15 · Answer 1 · edited Jul 30 '17 at 22:09

15

In your configuration security (Java file), it's possible to add:

private CsrfTokenRepository getCsrfTokenRepository() {
    CookieCsrfTokenRepository tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
    tokenRepository.setCookiePath("/");
    return tokenRepository;
}

and to change in the function configure(...), the line:

http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()...

with

http.csrf().csrfTokenRepository(this.getCsrfTokenRepository()).and()...

This permits to have a solution to personalize the path for the cookie XSRF-TOKEN.

edited Jul 30 '17 at 22:09

avojak

2,342
2
26
32

answered Jul 30 '17 at 20:34

MaxL

246
3
9

1

Hiya, just came across this post I'm having the same issue my context-path is set to /api I've tried setting my cookiePath to /api also but still getting 403 errors. Is there anything I'm missing? – Rebecca Douglas Oct 05 '20 at 07:45
Works, perfect. – Alejandro Vargas Apr 28 '21 at 18:33

How to set CSRF Token to different context path

1 Answers1

Linked