We are using JWT authentication in a Spring Boot application. In order to protect against CSRF attacks we want to send the token back to the server in a custom HTTP header instead of a cookie.
Is there a way to get Thymeleaf to use XMLHttpRequest for the links in generates? We do not want to troll through the templates replacing all th:href anchors with javascript onclick handlers.
The first part of the statement, fragments/header , is a template name that we are referencing. This can be a file (like in this example) or it can reference to the same file either by using the this keyword (e.g. this :: header ) or without any keyword (e.g. :: header ).
In the Home pane, double-click HTTP Response Headers. In the HTTP Response Headers pane, click Add... in the Actions pane. In the Add Custom HTTP Response Header dialog box, set the name and value for your custom header, and then click OK.
Select the web site where you want to add the custom HTTP response header. In the web site pane, double-click HTTP Response Headers in the IIS section. In the actions pane, select Add. In the Name box, type the custom HTTP header name.
HTTP headers let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value.
short answer: no!
long answer: the question is invalid to be honest. Thymeleaf is just a library to generate HTML/XML. XMLHttpRequest
which is also known as AJAX (*) is only used via javascript.
Furthermore it is impossible to send custom headers with form post without javascript. So you need to write some javascript to add custom headers along with your form. This custom javascript should be written by you Thymeleaf has no mechanism to automate it.
* For future comments: I know this is not precise, don't be pedantic ;)
you can add your token to the page like this [see meta tag]:
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org"
xmlns:layout="http://www.w3.org/1999/xhtml"
layout:decorator="Layout">
<head>
<title>Example</title>
<meta name="_jwt" th:content="${yourToken}"/>
</head>
...
then in all ajax request you can read those meta values and add as custom headers.
For example if you are using jQuery you can globally configure all jQuery ajax requests as follows:
$(function(){
var _token = $('meta[name="_jwt"]').attr('content');
$.ajaxPrefilter(function (options, originalOptions, jqXHR) {
jqXHR.setRequestHeader("your_jwt_token_header_name", _token);
});
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With