Skip to content

Conversation

juliovalcarcel
Copy link
Contributor

When using Spring Security to secure a REST API and a JS frontend I run the REST API using Tomcat and the frontend using NPM. Both tomcat and NPM are exposed via an NGINX reverse proxy which forwards / to NPM and /api to tomcat.

I ran into an issue implementing CSRF protection with an AngularJS app in which making a request to tomcat at /api the CSRF cookie's path would be set to /api. In order for Angular to be able to see the cookie the path needs to be set to /. This pull request would allow for the CSRF cookie's path to be set explicitly instead of being derived from the request context and would only set the path if the developer explicitly wanted to otherwise it will default to using the request context.

@pivotal-issuemaster
Copy link

@juliovalcarcel Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

@juliovalcarcel Thank you for signing the Contributor License Agreement!

@rwinch
Copy link
Member

rwinch commented Sep 16, 2016

Thanks for the PR! Can you please add some tests too?

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Sep 16, 2016
@rwinch rwinch self-assigned this Sep 16, 2016
@juliovalcarcel
Copy link
Contributor Author

juliovalcarcel commented Sep 16, 2016

@rwinch Added tests and also updated the JavaDoc for the setCookiePath method to note that if that value is set it will override the default functionality.

@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-feedback We need additional information before we can continue labels Sep 19, 2016
@rwinch rwinch added this to the 4.2.0 M1 milestone Sep 19, 2016
@rwinch rwinch changed the title Allow for the CSRF cookie path to be set manually and not derived from the request context Add cookiePath to CookieCsrfTokenRepository Sep 19, 2016
@rwinch rwinch closed this in 6834467 Sep 19, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants