Spring Boot 3.0.4 does not set XSRF-TOKEN into response cookie

morten.kose · March 30, 2023, 11:22pm

I’m trying to set token into every response, but can’t do that. According to Spring boot documentation this should set token into cookie

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
        // ...
        .csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
    return http.build();
}

My code is and no token in response cookie:

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();

        http
            .oauth2Login(oauth2 -> oauth2
                    //....failure handler)
            .csrf((csrf) -> csrf
                        .csrfTokenRepository(repository))
            .authorizeExchange(exchanges -> exchanges
                //...another pathMatchers
                .pathMatchers("/").permitAll()
                .anyExchange().authenticated()
            )
            .headers().frameOptions().mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN)
            .and()
            .cors()
            .and()
            .logout()
            .logoutHandler(logoutHandler())
            .logoutSuccessHandler(oidcLogoutSuccessHandler(this.postLogoutRedirectUri))
            .and()
            .exceptionHandling().authenticationEntryPoint(....);
        return http.build();
    }

if filter is added like so:

public class CsrfHelperFilter implements WebFilter {
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        String key = CsrfToken.class.getName();
        Mono<CsrfToken> csrfToken = null != exchange.getAttribute(key) ? exchange.getAttribute(key) : Mono.empty();
        return csrfToken.doOnSuccess(token -> {
            ResponseCookie cookie = ResponseCookie.from("XSRF-TOKEN", token.getToken()).maxAge(Duration.ofHours(1))
                    .httpOnly(false).path("/").build();
            exchange.getResponse().getCookies().add("XSRF-TOKEN", cookie);
        }).then(chain.filter(exchange));
    }

}

then token is in cookie but it’s to many characters (4936) and I get error in browser

Set-Cookie header is ignored in response from url: https://url... The combined size of the name and value must be less than or equal to 4096 characters.

If I use same filter and .csrf() with no params then token is set and GET is working, but POST is giving me 403 and ‘Invalid CSRF Token’

Mdchristien · April 4, 2023, 7:10am

Hi Mosh please what is the project that is covered in the java course. Does it show how to connect java to frontend and database like MySQL?

Mdchristien · April 4, 2023, 7:13am

Please anyone who has purchased the java course please help me answer the question. Does the project which is covered in the java series show how to use java as a backend and connect to a database?.

Topic		Replies	Views
Next JS - Auth Section - Retrieve token api function - token is always null React	1	306	October 15, 2023
ReactJS client gets JWT token from the Django server, but the protected API returns 401 unathorized	4	1013	December 30, 2022
Expected: 401 Received: 200 Node	6	1429	September 12, 2022
Dynamic route path based on the variable - cookie Node	0	247	November 11, 2021
Fixing bididrectional dependency React	1	267	September 7, 2022

Spring Boot 3.0.4 does not set XSRF-TOKEN into response cookie

Related Topics