1

I couldn't solve this issue.

I try to athentication login logout example here. Login is work properly but when I try to logout, browser gives NetworkError : 403 forbidden localhost:8080/logout is forbidden.

In my opinion I should add token header every request from ui side.But I don't know and find how can I do that?

here is the browser developer tools message :

POST 403 {"timestamp":1501570024381,"status":403,"error":"Forbidden","message":"Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/helpdesk/logout"}

here is my angular logout function:

 $scope.logout = function() {
    $http.post('logout',{}).success(function() {
      $rootScope.authenticated = false;
      $location.path("/home");
    }).error(function(data) {
      $rootScope.authenticated = false;
    });
  }

here is my SpringSecurityConfig configure method:

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .httpBasic().and()
            .authorizeRequests()
            .antMatchers("/index.html","/pages/**","/","/webjars/**")
            .permitAll()
            .anyRequest()
            .authenticated().and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).permitAll()
            .logoutSuccessHandler(logoutSuccess)
            .deleteCookies("JSESSIONID").invalidateHttpSession(false)
            .and()
            .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);

}

How can I solve this? How can I add token header to all request? Could you help me please?

luffy
  • 315
  • 1
  • 4
  • 22
  • You don't need to do this explicitly `$rootScope.authenticated = false;` or `$location.path("/home");`. Your Configurtion should be sufficient to logout the user, you should be able to perform simple post request to logout. However, it would be helpful to know SpringSec version you are using. You might want to include additional headers to your post request. – lazyneuron Jul 31 '17 at 15:02
  • I have to set $rootscope.authenticated = false because some view hidden or display state of this param. I"ll try this solution if it'll work I tey different way for this. Thank you. – luffy Jul 31 '17 at 16:34
  • I tried your solution but it didn't work. I editted the question. – luffy Aug 01 '17 at 06:48
  • Btw, I checked your link to the tutorial you are following. At first glance they are describing how to handle `CSRF` tokens. My answer might be useless – lazyneuron Aug 01 '17 at 11:47
  • You need to send the csrf token in your call to the spring controller because thats how Spring security works. Based on these csrf tokens only the calls are verified and authorized. – Abdullah Khan Aug 01 '17 at 13:17
  • @AbdullahKhan Thank you for your interesting. I noticed that but how can I do that? I research but I couldn't achieve. Do you no,,know any sample for this? – luffy Aug 01 '17 at 13:19
  • Check out [this](https://stackoverflow.com/a/18338635/3094731). – Abdullah Khan Aug 01 '17 at 13:24
  • https://stackoverflow.com/a/45455423/5707108 please check this @AbdullahKhan – luffy Aug 02 '17 at 08:26

2 Answers2

1

I solved my issue:

Firstly I find this sample when I research on goole.

After that I applied same interceptor my app like this : 

app.factory('CsrfTokenInterceptorService', ['$q',
function CsrfTokenInterceptorService($q) {

    // Private constants.
    var CSRF_TOKEN_HEADER = 'X-CSRF-TOKEN',
        HTTP_TYPES_TO_ADD_TOKEN = ['DELETE', 'POST', 'PUT'];

    // Private properties.
    var token;

    // Public interface.
    var service = {
        response: onSuccess,
        responseError: onFailure,
        request: onRequest,
    };

    return service;

    // Private functions.
    function onFailure(response) {
        if (response.status === 403) {
            console.log('Request forbidden. Ensure CSRF token is sent for non-idempotent requests.');
        }

        return $q.reject(response);
    }

    function onRequest(config) {
        if (HTTP_TYPES_TO_ADD_TOKEN.indexOf(config.method.toUpperCase()) !== -1) {
            config.headers[CSRF_TOKEN_HEADER] = token;
        }

        return config;
    }

    function onSuccess(response) {
        var newToken = response.headers(CSRF_TOKEN_HEADER);

        if (newToken) {
            token = newToken;
        }

        return response;
    }
}]);

and added to app.config method this :

$httpProvider.defaults.xsrfHeaderName = 'X-CSRF-TOKEN';
$httpProvider.interceptors.push('CsrfTokenInterceptorService');

But now I have an another problem. Browser start to open custom authentication popup. I have to solve this.

luffy
  • 315
  • 1
  • 4
  • 22
-1

CSRF token would be checked for all the postrequests by SpringSec. Thus, you can either include it everytime, or disable it. XML config would look something like this: 

<http ...... >

  <!-- ... -->
  <csrf disabled="true"/>

</http>

Or simply add the following in your config: 

 @Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .httpBasic().and()
            .authorizeRequests()
            .antMatchers("/index.html","/pages/**","/","/webjars/**")
            .permitAll()
            .anyRequest()
            .authenticated().and().logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout")).permitAll()
            .logoutSuccessHandler(logoutSuccess)
            .deleteCookies("JSESSIONID").invalidateHttpSession(false)
            .and()
            .addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);

}

This way you don't need to care about its inclusion. For proper handling of CSRF Tokens take a look at Spring Security’s Cross Site Request Forgery (CSRF) support..

P.S. let me know in case it doesn't help or at least point you to the right direction.

lazyneuron
  • 537
  • 5
  • 12
  • thank you for your interesting. Well, Do we have to disable csrf? I mean we have to secure sessions on ours application am I right? If I got correctly, I send csrf tokens as header all request from angular js. Do you know how can I do that? – luffy Aug 01 '17 at 13:13
  • Unfortunately I am not familiar with angular, but I would guess that the link to Spring Sec support and tutorial that you are following should give you some insight. Best of luck :) – lazyneuron Aug 01 '17 at 15:54
  • please check stackoverflow.com/a/45455423/5707108 this. – luffy Aug 02 '17 at 08:26