Sockjs fallback with Spring Security CSRF enable

2
votes


My project use Spring Security + Spring MVC and deals with websocket (over stomp+sockjs).
When I test the sockjs fallback the XHR request return 403. If I turn off csrf on the security context it's OK.
If I override the sockjs AbstractXHRObject constructor like this : it's ok :

function AbstractXHRObject(method, url, payload, opts) {
  debug(method, url);
  var self = this;
  EventEmitter.call(this);

  // HACK : add csrf headers
  opts["headers"][csrfHeader] = csrfToken;

  setTimeout(function () {
    self._start(method, url, payload, opts);
  }, 0);
}

Off course I have to check if opts is not null...

My question is : What is the way to add headers on the XHR fallback object of SockJS ?

Thanks

1
spring-mvcspring-securitycsrfsockjs
no idea about sockjs in case of angularjs you can add intercept and add headers like this stackoverflow.com/questions/27332717/… - Anudeep Gade

1 Answers

1
votes

Finally I disable CSRF for sockjs URL in my security context.

 <security:csrf request-matcher-ref="csrfMatcher" />

and the matcher :

public class CsrfSecurityRequestMatcher implements RequestMatcher {

    private Pattern                 allowedMethods      = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
    private AntPathRequestMatcher   unprotectedMatcher  = new AntPathRequestMatcher("/ws/**/xhr_send**");

    @Override
    public boolean matches(HttpServletRequest request) {
        if (allowedMethods.matcher(request.getMethod()).matches()) {
            return false;
        }

        return !unprotectedMatcher.matches(request);
    }
}

NOTE : It follow http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/