Java spring-rest/ Jersey how secure rest route with filter

Others 2022-05-26 16:46:50 views: 0
user8557463 :

I use the following in the pom.xml which is actually securing the root route, I see the authentication process starting in the browser for few seconds

  <filter>
    <filter-name>CsrfFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>CsrfFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Now I've specific routes that I need to secure when user chooses them...

@Path("/run")
public class Service {


...

@GET
@Path("connect/{param}")
public Response connectToHost(@PathParam("param") String host) {

How I should do it ? via configuration on the pom as above or via code for each route ?

vsoni :

There are some confusing points in your questions, but I'll try to cover whatever I can.

ONE. filter settings - As per your question you made filter settings in pom.xml. But actually filter settings are always made in web.xml file. If you have mistakenly named pom.xml then ignore but if not then move the filter settings to web.xml.

TWO. In your question tags you have mentioned that your query is related to spring-boot, spring-security. But the code sample that you have attached suggests you are perhaps using jersey for creating rest apis and not using spring, spring-security. You are actually trying to use csrf protection at lower level at tomcat server level. Thats fine.

THREE. CSRF protection can be leveraged with spring security as well as tomcat apis.

FOUR. If you want to understand how spring security provides csrf protection to rest endpoints you will have to provide following configuration in your code. 

@EnableWebSecurity
public class WebSecurityConfig extends
        WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }
}

This will provide csrf protection to all POST, PUT, PATCH, DELETE requests to your application. Refer - https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html for more details.

FIVE. Now for your actual question of how to provide csrf protection to multiple routes to your jersey based rest endpoints... You can provide multiple url patterns like following.

<filter>
    <filter-name>CsrfFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>CsrfFilter</filter-name>
    <url-pattern>/run</url-pattern>
    <url-pattern>/path1</url-pattern>
    <url-pattern>/path2</url-pattern>
</filter-mapping>

Refer - https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs for more details on RestCsrfPreventionFilter.

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=439385&siteId=1
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com