An AngularJS interceptor that sets the Spring Security CSRF token information in all HTTP requests if it's able to find it in a response header on application startup.
Clone or download
aditzel Merge pull request #7 from karthilxg/master
Added feature to customize the csrf token interceptor behavior.
Latest commit aa33d7a Apr 30, 2015

README.md

#spring-security-csrf-token-interceptor

An AngularJS interceptor that will include the CSRF token header in HTTP requests.

It does this by doing an AJAX HTTP HEAD call to / by default, and then retrieves the HTTP header 'X-CSRF-TOKEN' and sets this same token on all HTTP requests.

spring-security-csrf-token-interceptor also supports configuring the CSRF header name, number of retries allowed in-case of Forbidden errors, restrict adding the CSRF tokens to some HTTP types etc.

#Installing ###Via Bower

$ bower install spring-security-csrf-token-interceptor

###Via NPM

$ npm install spring-security-csrf-token-interceptor

#Usage Include this as a dependency on your application:

angular.module('myApp', ['spring-security-csrf-token-interceptor']);

Use the configProvider to customize the interceptor behavior. Check Configuration section for more details.

 csrfProvider.config({});

#Configuration The following options are available for configuring the interceptor,

Note: All these below configurations are optional.
  • options (Object) - Options to customize the CSRF interceptor behavior.

  • options.url (String) - The URL to which the initial CSRF request has to be made to get the CSRF token. Default: \.

  • options.csrfHttpType (String) - The HTTP method type which should be used while requesting the CSRF token call. Default: head.

  • options.maxRetries (Number) - The number of retries allowed for CSRF token call in-case of 403 Forbidden response errors. Default: 5.

  • options.csrfTokenHeader (Array) - Set this option to add the CSRF headers only to some HTTP requests. Default: ['GET', 'HEAD', 'PUT', 'POST', 'DELETE'].

  • options.csrfTokenHeader (String) - Customize the name of the CSRF header on the requests. Default: X-CSRF-TOKEN.

###Example

    angular
        .module('myApp', [
            'spring-security-csrf-token-interceptor'
        ])
        .config(function(csrfProvider) {
            // optional configurations
            csrfProvider.config({
                url: '/login',
                maxRetries: 3,
                csrfHttpType: 'get',
                csrfTokenHeader: 'X-CSRF-XXX-TOKEN',
                httpTypes: ['PUT', 'POST', 'DELETE'] //CSRF token will be added only to these method types 
            });
        }).run(function() {
    });