Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it necessary to protect JAX-RS requests against CSRF?

Is it necessary to protect JAX-RS requests against CSRF?

By definition REST is stateless and therefore exists no session id (session cookie), because there is no session at all (see also https://stackoverflow.com/a/15746639/5277820).

My Spring Security Java Configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Configuration
    @Order(1)
    public static class JaxRsWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(final HttpSecurity http) throws Exception {
            http
                .antMatcher("/services/**")
                .csrf().disable()
                .authorizeRequests()
                    .antMatchers(HttpMethod.OPTIONS, "/services/**").permitAll()              
                    .anyRequest().hasAuthority("ROLE_user")
                    .and()
                .httpBasic()
                    .and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
             }
        }
    }
}

But I found for example following blog: Stateless Spring Security Part 1: Stateless CSRF protection. Unfortunately the blog does not explain, why one needs CSRF protection.

Is there any other CSRF attack without session cookie?

like image 398
dur Avatar asked Oct 19 '22 00:10

dur


1 Answers

CSRF attacks don't need a session to exist. A CSRF attack consists in doing something on a user's behalf by tricking him/her into clicking a link or submitting a form that goes to an application where the user is logged in.

Whether basic authentication or a session cookie is used to identify the user is irrelevant.

Note that using a cookie doesn't mean that the app is not stateless. A cookie, just like basic authentication, simply consists in sending an additional header with each HTTP request.

like image 54
JB Nizet Avatar answered Oct 22 '22 00:10

JB Nizet