Add cookiePath to CookieCsrfTokenRepository #4062

Closed
wants to merge 6 commits into
from

Conversation

Projects
None yet
3 participants
@juliovalcarcel
Contributor

juliovalcarcel commented Sep 16, 2016

When using Spring Security to secure a REST API and a JS frontend I run the REST API using Tomcat and the frontend using NPM. Both tomcat and NPM are exposed via an NGINX reverse proxy which forwards / to NPM and /api to tomcat.

I ran into an issue implementing CSRF protection with an AngularJS app in which making a request to tomcat at /api the CSRF cookie's path would be set to /api. In order for Angular to be able to see the cookie the path needs to be set to /. This pull request would allow for the CSRF cookie's path to be set explicitly instead of being derived from the request context and would only set the path if the developer explicitly wanted to otherwise it will default to using the request context.

@pivotal-issuemaster

This comment has been minimized.

Show comment
Hide comment
@pivotal-issuemaster

pivotal-issuemaster Sep 16, 2016

@juliovalcarcel Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@juliovalcarcel Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster

This comment has been minimized.

Show comment
Hide comment
@rwinch

This comment has been minimized.

Show comment
Hide comment
@rwinch

rwinch Sep 16, 2016

Member

Thanks for the PR! Can you please add some tests too?

Member

rwinch commented Sep 16, 2016

Thanks for the PR! Can you please add some tests too?

@rwinch rwinch self-assigned this Sep 16, 2016

@juliovalcarcel

This comment has been minimized.

Show comment
Hide comment
@juliovalcarcel

juliovalcarcel Sep 16, 2016

Contributor

@rwinch Added tests and also updated the JavaDoc for the setCookiePath method to note that if that value is set it will override the default functionality.

Contributor

juliovalcarcel commented Sep 16, 2016

@rwinch Added tests and also updated the JavaDoc for the setCookiePath method to note that if that value is set it will override the default functionality.

@rwinch rwinch added this to the 4.2.0 M1 milestone Sep 19, 2016

@rwinch rwinch changed the title from Allow for the CSRF cookie path to be set manually and not derived from the request context to Add cookiePath to CookieCsrfTokenRepository Sep 19, 2016

@rwinch rwinch closed this in 6834467 Sep 19, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment