Problem Statement: I have some restful APIs which are CSRF protected using spring security. Also, these APIs will be accessed from different Origin/domain by Angular WEB UI. I don't need Spring Authentication as authentication is handled by Siteminder.
Approach: I followed this link from from Dave Syer for CSRF protection : The Login Page: Angular JS and Spring Security Part II which is working perfectly except one issue (Below).
Issue: This code work perfectly fine when my angular html client accessing the RESTful APIs on the same origin/domain; but when I try to access the same APIs from a different origin, getting an error 403 - Access Forbidden - CSRF token error.
Approach That I tried so far by extending your example:
Added a CORS filter - Enabling Cross Origin Requests for a RESTful Web Service
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "x-requested-with");
No Luck on the above.
Please suggest if I need to do anything else to make it work.
Thanks, Suman
CSRF and CORS are not the same thing. You probably have the CORS part sorted now, but you need to add a CSRF token to any POST/PUT/DELETE requests. Spring Security sends the token in a header in the blog series you quoted and Angular picks it up from there (you need to add a few lines of code to get that working).