Spring Boot Security - Enabling CSRF Protection
But till now in all our examples we had disabled CSRF. CSRF stands for Cross-Site Request Forgery. It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.
Spring Boot Security - Table Of Contents
Spring Boot + Simple Security Configuration Spring Boot Form Security Login Hello World Example Spring Boot Security - Custom Login Page Example Spring Boot Security - JDBC Authentication Example Spring Boot Security - Creating Users Programmatically Using JdbcUserDetailsManager Spring Boot Security - Password Encoding Using Bcrypt Spring Boot Security - Enabling CSRF Protection Spring Boot Security - Authentication Handler Example Spring Boot Security - Introduction to OAuth Spring Boot OAuth2 Part 1 - Getting The Authorization Code Spring Boot OAuth2 Part 2 - Getting The Access Token And Using it to Fetch Data.
Video
This tutorial is explained in the below Youtube Video.Understanding CSRF attack-
Do not close the above window. Now suppose you receive a mail with following content.
Hi JavaInUse <form method = "post" action="http://localhost:8080/addNewEmployee"> <input id ="empId" type="hidden" name="empId" value="Hacker001"/> <input id ="empName" type="hidden" name="empName" value="hacker"/> <input type="SUBMIT" value="Surprise..Surprise..See What This Does" /> </form>You open this page and click on the surprise button-
We see that it has added an Employee with name Hacker to our application. This is a CSRF attack. Next we see how to tackle this CSRF attack.
Lets Begin-
We will be using the CSRF security token to grant access only to authorized users.We will be modifying the code we developed in the previous Spring Boot Security - Password Encoding Using Bcrypt
Maven Project will be as follows-