0

I use org.springframework.security.web.csrf.CookieCsrfTokenRepository to secure my spring based web application from CSRF attacks. This enables all the Controller methods to be called only by passing a X-XSRF-TOKEN header or a _csrf request parameter.

So in order for me get the response of a GET URL in browser, I will have to write something like the below in browser address bar.

http://localhost:8080/api/someresource?_csrf=99e3b824-d0c9-409d-91ee-c7ccbdce313f&filter1=value1&filter2=value2&so=on

However, Some of these urls have filter mechanism based on the request parameters and unfortunately this extra _csrf parameter breaks that logic.

As I see it, this request parameter should be needed if the request had passed the csrf validation. But I couldn't do anything in the documentation to remove the _csrf request parameter on the application level.

At the moment, I do something like below.

@ResponseStatus(OK)
@RequestMapping(method = RequestMethod.GET, value = "/search/advanced")
@ResponseBody
public ResponseVO advancedSearch( @RequestParam MultiValueMap<String, String> queryParameters, Pageable pageable) {
    queryParameters.remove(MyApplicatonConstants.CSRF_PARAM_NAME);  //this line is the hack that I wrote
    return doStuffAndGetFilteredData(queryParameters);
}

This implementation has its drawbacks.

  • I will have to change all 143 controller methods to have this one line on the top.
  • I have to remember to add this for new methods in future.
  • it's a cheap hack and there should be some better and cleaner way of doing it.

Is there a way I can acheive this without rewriting that one line again and again?

Note:

  • I fully understand that I can use CURL or Postman so I can pass X-XSRF-TOKEN in header. But it's not as quick as opening the URL in a new tab.
Raja Anbazhagan
  • 4,092
  • 1
  • 44
  • 64
  • use some aspect and some annotation? –  Nov 29 '17 at 17:38
  • @RC. The problem is that I will have to use that annotation for all those 143 controller methods. – Raja Anbazhagan Nov 29 '17 at 17:38
  • I understand that, but how is spring supposed to know it should remove the _csrf parameter? Or maybe you want it to be removed always? –  Nov 29 '17 at 17:40
  • Is there a way I can hack the CSRF token repository itself? Or the component that validates the CSRF Token for each request? – Raja Anbazhagan Nov 29 '17 at 17:41
  • see [`CsrfFilter`](https://github.com/spring-projects/spring-security/blob/master/web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java) I think, if you remove the prameter just before `filterChain.doFilter` that should do it –  Nov 29 '17 at 17:42
  • Why is your GET secured with CSFR? You generally only want that for modifying requests i.e. POST/PUT etc. but nog for GET requests... Seems like you are using it for something you shouldn't be using it for. – M. Deinum Nov 29 '17 at 17:53
  • @M.Deinum, These URLs serve sensitive content and that's a business decision that I have no control of. And I personally don't believe that GET urls should be excluded from CSRF (Its safe this way). – Raja Anbazhagan Nov 29 '17 at 17:56
  • CSRF is only an attack for modifying it doesn't add anything in the case of an GET, only complexity. Heck even spring Security doesn't check the token on GET requests (unless you worked around that by explicitly enabling it for all requests). – M. Deinum Nov 29 '17 at 17:58
  • @RC. I just got to know that the getParameterMap() from and HTTPServletRequest is an Immutable Map. Looks like all doors are shut for me in this case. – Raja Anbazhagan Nov 29 '17 at 17:58
  • Maybe https://stackoverflow.com/questions/1413129/modify-request-parameter-with-servlet-filter –  Nov 29 '17 at 18:59
  • I will try this one – Raja Anbazhagan Nov 30 '17 at 23:30

0 Answers0