Menu
I'm using Spring Security with a stateless web service. I'd like to use the CSRF features in Spring Security 3.2. Is that possible with a stateless web app?
This is the relevant Java Config, since I've had to disable CSRF for the time being.
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionFixation().none().and()
.csrf().disable();
}
743
If your service is really stateless, CSRF protection might not make sense at all. As long as the server does not use cookies to identify/authenticate the user, your service is not vulnerable to CSRF attacks.
For a detailed explanation, see http://sitr.us/2011/08/26/cookies-are-bad-for-you.html
66
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
