Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security, Stateless REST service and CSRF

I have a REST service, built using Java, Spring-boot and using Spring Security with Basic Access Authentication. There are no Views, no JSP etc, no 'login', just stateless services which can be called from a React app hosted separately.

I've read a variety of documentation about CSRF protection, but can't decide whether I should be using spring-security CSRF config, or just disabling it? If I disable the csrf protection I can call the service with curl using my basic auth like this:

curl -H "authorization:Basic c35sdfsdfjpzYzB0dDFzaHA=" -H "content-type:application/json" -d '{"username":"user","password":"password","roles":"USER"}' localhost:8081/api/v1/user

If I enable the csrf protection and provide a x-csrf-token header, then the spring CsrfFilter attempts to cross check this against a value from (I think) a session cookie in the HttpServletRequest. However since its a stateless REST service I don't have a session, and haven't 'logged in'.

I have a config class which looks like this:

@EnableWebSecurity
@Configuration
public class ServiceSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and().httpBasic();
        if (!serviceProperties.isCsrfEnabled()) {
            http.csrf().disable();
        }
    }

The more I think about it, the more it seems that I will just need to disable CSRF protection. Is there another way to configure spring security so it will work?

thanks

like image 756
robjwilkins Avatar asked Feb 26 '18 09:02

robjwilkins


People also ask

Is CSRF attack is possible with REST API?

Enabling cross-site request forgery (CSRF) protection is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.

Do I need CSRF with JWT?

There's no way someone can abuse XSS and take your JWT to impersonate you. If you put your JWTs in a header, you don't need to worry about CSRF. You do need to worry about XSS, however. If someone can abuse XSS to steal your JWT, this person is able to impersonate you.

Is CSRF enabled by default in Spring Security?

As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below. CSRF protection is enabled by default with Java Configuration.

How is CSRF attack prevented with Spring Security?

Spring provides two mechanisms to protect against CSRF attacks: The Synchronizer Token Pattern. Specifying the SameSite Attribute on your session cookie.


2 Answers

To answer your first question, in the context that you describe, you do not need CSRF protection. The background of CSRF protection is to ensure that the user is not tricked into doing some unwanted action.

For example, in pure theory, you could have logged into a bank's website (and thus established a session) and then went to some shady website. This site could have a form making a POST request to the bank's APIs. Because you have a session there, if the endpoint is not CSRF protected, then the request may go through.

As such, CSRF mostly acts as a protection against browser + session based attacks. If you expose a pure REST API with e.g. OAuth protection, then I don't see any reason for CSRF.

As you use spring boot, you could also disable CSRF using the application.properties / application.yaml configuration file.

security.enable-csrf=false

You can check out the Common Application Properties documentation page for more out-of-the-box configuration options.

like image 166
Serban Petrescu Avatar answered Sep 21 '22 06:09

Serban Petrescu


If you want to disable csrf in more proper way you can call it like this(if using java configuration)

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest().fullyAuthenticated()
            .and().httpBasic();
       .and()
            .csrf()
            .disable()
like image 29
Aramka Avatar answered Sep 18 '22 06:09

Aramka