Skip to content

Spring Security

Cross Site Request Forgery (CSRF)

  • Evil website tricks you to execute an action on a website you're logged in

  • E.g., buy an unwanted item, transfer money to someone

  • Spring Security Filters

  • can generate tokens to the forms

  • uses the Synchronizer Token Pattern

  • each request includes a session cookie with a generated token

  • Use tag to avoid it

  • Embed a token into all HTML form elements automatically
  • On request, webapp will verify the token before processing
  • You must use POST requests
  • Optionally use the plain <form> tag and manually insert the token
<form action="..." method="POST">
  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>

User Roles

<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"
%>
<p>
  User: <security:authentication property="principal.username" /> <br /><br />
  Role(s): <security:authentication property="principal.authorities" />
</p>

Users from database

  • Requires users and authorities (roles) tables

  • users

  • username
  • password
    • Plain {noop}123
    • Bcrypt {bcrypt}9a@9438cdnauw (at least 8 plain chars). Encrypted is always 60 chars
  • enabled
  • authorities
  • username
  • authority