How to Send Spring Security csrf through Jqgrig request

Question

I am Using Jqrgrid with Spring Security but how I send CSRF with JQGrid request

It's depend *which request* you mean (loading the data, editing of data and so on) and how you can get the CSRF on your client side. In some cases `$('meta[name=csrf]').attr('content')` will get you the CSRF, in another you can use `getCookie('csrftoken')`. To include CSRF in the loading request you can use `loadBeforeSend` like in [the answer](https://stackoverflow.com/a/6477061/315935): `loadBeforeSend: function(jqXHR) { jqXHR.setRequestHeader('X-CSRF-Token', csrf_token); }` — Oleg, Dec 24 '17 at 10:22
yes I tried like this but still request has being forbidden. bellow code I did. var token = $("meta[name='_csrf']").attr("content"); var header = $("meta[name='_csrf_header']").attr("content"); $("#department-detail-grid-list").jqGrid({ url : "${returnAllDepartmentForGrid}", beforeSend: function(jqXHR) { jqXHR.setRequestHeader(header, token); }, — Aleem, Dec 24 '17 at 10:32
1) please, click on "Edit" link under the text of your question and append any additional information (like your code) to the text of the question; 2) please write *always*, which version of jqGrid you use and from which fork of jqGrid ("free jqGrid", commercial "Guriddo jqGrid JS" or an old "jqGrid" in version <=4.7); 3) jqGrid don't have `beforeSend` callback, which you try to use. All unknown callbacks will be just ignored. You can include an `alert` message in the code of `beforeSend` to see that it will be never used. The correct name of the is `loadBeforeSend` (see my previous comment). — Oleg, Dec 24 '17 at 12:29

score 0 · Answer 1 · answered Dec 24 '17 at 14:00

I'm not Spring developer. The solution of your problem depends on the way how you can get the CSRF token. It seems that there are two main ways: the usage of <meta> with content equal to ${_csrf.token} or the usage of getCookie('csrftoken').

Let us we follow the part (or this one) of spring documentation and we add <meta> elements _csrf and _csrf_header as following

<!DOCTYPE html>
<html>
<head>
    <meta name="_csrf" content="${_csrf.token}"/>
    <!-- default header name is X-CSRF-TOKEN -->
    <meta name="_csrf_header" content="${_csrf.headerName}"/>
    <!-- ... -->
</head>
<!-- ... -->

then we can set security token of Ajax request inside of beforeSend callback of jQuery.ajax method:

$.ajax({
    url: "someUrl",
    ...
    beforeSend: function(jqXHR) { 
        xhr.setRequestHeader(
            $("meta[name='_csrf_header']").attr("content"),
            $("meta[name='_csrf']").attr("content")
        );
    }
});

On the other side jqGrid makes already internally the Ajax request. Thus you have to use jqGrid callbacks to inform jqGrid to do the same inside of underlying Ajax request. Thus one should use loadBeforeSend callback of jqGrid:

loadBeforeSend: function(jqXHR) {
    var header = $("meta[name='_csrf_header']").attr("content"),
        token = $("meta[name='_csrf']").attr("content");
    jqXHR.setRequestHeader(header, token);
}

If you would later implement editing of jqGrid data, then you will have to do close things inside of other callbacks, which allows to call setRequestHeader inside of beforeSend callback of jQuery.ajax during the editing of the grid.

How to Send Spring Security csrf through Jqgrig request

1 Answers1