Configure the CSRF Protection With Spring Security 6 and Angular
Вставка
- Опубліковано 6 лип 2024
- In this video I will implement the CSRF protection in both a Spring Boot application with Spring Security 6 and in the frontend with Angular.
I will build both projects from scratch and add the CSRF protection. I will use a stateful authentication in the backend, with cookies.
Chapters:
0:00:00 Introduction
0:02:30 Backend creation
0:07:48 CORS configuration
0:09:30 Frontend creation
0:13:16 Request the backend
0:18:47 Submit form
0:26:57 Spring Security Configuration
0:33:50 Login Form
0:41:58 HTTP client wrapper
0:45:36 CSRF Token
0:50:00 Demo
0:50:52 Conclusion
Github: github.com/serlesen/fullstack...
My NEW eBook: sergiolema.dev/git-book/
Blog: bit.ly/47ornJL
LinkedIn: bit.ly/41Nn61q
Facebook: bit.ly/47rc9nh
My Desktop:
• Laptop: Macbook Pro 16' 2019
• Gaming Chair: amzn.to/47Vu6ed
• Mouse: amzn.to/3HoBwM1
• Desk: amzn.to/48Tc5Oi
• Screen: amzn.to/48VZkCL - Наука та технологія
excellent content!! I'm ont from a anglophone country but i understand without problemes
Thank you!
Thanks for making this video.
You're welcome 😉
Great video! I'm using spring with CSRF disable since I can remember 😆
Thanks, I think most of the projects have CSRF disabled 😅
Wonderful Tutorial
Thank you!
Hi, great video!! Although I still get the 403 Forbidden issue after implementing the same code as shown in video. I'm developing one angular library for which I have the Spring boot layer for all the back-end calls. I don't require the login security as it's already there for Main app, I just need the CSRF validation for api calls. Awaiting your response 😊
Thanks! Do you have the cookies enable? Is is a stateful application?
Hi,this was an amazing video on this subject.Havent seen anyone to explain how it works till now.Still i have one question remaining .From where can i learn about spring security in depth.Would be great if you can provide me some links for some resources.Thanks!
Thank you Stefan!
What are you looking? Videos (Udemy or UA-cam), coaching, documentation?
Thanks for this. i have one question: how can i test my backend with postman if i have csrf enabled? i tried getting first csrf token, but when i make post call, the csrf token of server is anredy changed..
Enable the connection of postman with a browser. Because the CRSF token needs to set the cookie of the session
If i will put all these codes into wordpress will it still work? I struggle to find a tutorial that could explain whole coding system behind it and i just want to secure my website
Using this workflow to protect your website is good. But there are other complements (like authentication, or even HTTPS).
I'm not sure to understand what you want to do with Wordpress.
Hi man, great video! However, I facing some troubles, can you help me?
Thanks
Maybe. DM on Discord, LinkedIn or Facebook Messenger
If a backend application hosted in multiple servers, how CSRF token will be validated?
You need to share the session information between the servers. You can do it like this: ua-cam.com/video/YWVjnJsJRG0/v-deo.html
Please help me!
I have permitted all endpoints using permitAll(), but only GET methods are accessible, whereas POST methods return a FORBIDDEN error " You don't have permission to access this".
If I disable CSRF in the SecurityFilterChain, then POST methods without parameters can be accessed, but if there are parameters, they still return a FORBIDDEN error
How do you access the POST endpoints? via Postman, a terminal or a browser?
Because the CSRF needs to set a cookie to identify the session. If you use Postman or a terminal, this is not done by default.
Hi could u please a authentification with token and security in the url and verification send mail with spring and angular please ??
A token in the URL is a bad practice, as the URL can be easily be traced.
I've already done a video about the Authentication with token and Angular at ua-cam.com/video/YUqi1IjLX8I/v-deo.html.
About the send mail, it can be interesting, let me add it to my TODO list 😉
@@TheDevWorldbySergioLema couldd u please the sendermail with angular and spring ?
I don’t understand why the csrf was disabled in the SecurityConfig?
Our security team has pointed out that it should not be disabled in Security Config
It's another layer of complexity. It shouldn't be, but to speed up the development time, people disable it.
how to set up with csrf repository for new token each request can you provide me any article for that.
Sorry, I don't have any article about that.
What you have to do is make the frontend request the CSRF endpoint before each request.
Nothing more
The problem comes when you have several requests at the same time. I don't know how to handle this case.
@@TheDevWorldbySergioLema thank you for reply.
You're welcome!
but, how to secure endpoint that generate csrf token?
In fact, the CSRF endpoint is here to protect the authentication endpoint
Yes I'm also having the same doubt, if it's not protected then attacker can also get csrf token from and pass it to next subsequent request
@@TheDevWorldbySergioLema can you clarify on this ?
The attacker can obtain a new CSRF token associated to its session.
This means that it can hack my session because it's a different CSRF token.
Why did you use here webMvcConfigurer? In other video you said to use Cors if we are using spring security: "If you use Spring Security, it's recommended to use this way instead of WebMvcConfigurer. This way, a CorsFilter is put in place which intercepts all the requests. With WebMvcConfigurer, not all the requests are intercepted, only those from the MVC Web."
Because I found the solution of using CorsConfigurationSource over WebMvcConfigurer after doing this video 😅
@@TheDevWorldbySergioLema Okay thanks for fast answer! 😎