React + springboot csrf
The answer above I think it used an old spring security version. There's an easy way. For springboot backend, you can just do
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
And for in react, you can do the way in that answer but don't forgot using <CookiesProvider>
to wrap up what you return
Or you can just get the token from document.cookie. There should be a pair starting with XSRF-TOKEN=
And csrf should not be applied to GET method.
You need to save CSRF-TOKEN
to cookie and send it back with the request header.
SecurityConfig class.
Enable csrftokenrepsitory
.csrf().csrfTokenRepository(csrfTokenRepository()).and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).addFilterAfter(new XSSFilter(), CsrfFilter.class);
Add csrfTokenRepository
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName(X_CSRF_TOKEN);
return repository;
}
In react, you can access token from the cookie.
csrfToken= cookies.get('XSRF-TOKEN');
Send it as follows in the header.
headers: {
'X-XSRF-TOKEN': this.csrfToken,
'Accept': 'application/json',
'Content-Type': 'application/json'
},
https://github.com/supun/okta-spring-boot-react-crud-example/blob/master/src/main/java/com/okta/developer/jugtours/config/SecurityConfiguration.java