I have a ssl secured Rest Spring Boot API that is working fine
My server security config class as bellow
@Override
protected void configure(HttpSecurity http) throws Exception {
// .csrf().disable()
http
.exceptionHandling()
.authenticationEntryPoint(new Http401AuthenticationEntryPoint("App header"))
.and()
.authenticationProvider(getProvider())
.formLogin()
.loginProcessingUrl("/logins/login")
.successHandler(new SimpleUrlAuthenticationSuccessHandler())
.failureHandler(new SimpleUrlAuthenticationFailureHandler())
.and().httpBasic();
http.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new AuthentificationLogoutSuccessHandler())
.invalidateHttpSession(true)
.and().httpBasic();
http.authorizeRequests()
.antMatchers("/docs").hasAnyRole(Role.USER.name(), Role.ADMIN.toString())
.antMatchers("/logins/login").permitAll()
.antMatchers("/logout").permitAll()
.anyRequest().authenticated().and()
.requestCache()
.requestCache(new NullRequestCache())
.and().httpBasic();
System.out.println(" 1 : " + Role.USER.name() + " --- " + Role.USER.toString());
}
When login to my api I m getting this headers as response:
[ X-Frame-Options=[DENY],
Transfer-Encoding=[chunked],
Strict-Transport-Security=[max-age=31536000 ; includeSubDomains],
Cache-Control=[private],
X-Content-Type-Options=[nosniff],
Set-Cookie=[JSESSIONID=615FD3642011AE7558D598255D10C85E; Path=/; Secure; HttpOnly],
Expires=[Thu, 01 Jan 1970 01:00:00 CET],
X-XSS-Protection=[1; mode=block],
Date=[Wed, 25 Apr 2018 21:35:16 GMT],
Content-Type=[application/json;charset=UTF-8]]
as I have read so far adding the cookie to my next request header is mandatory to use my JSESSIONID to allow the server to recongnise my session. But trying this on unirest by:
setting my httpClient to manage cookies
HttpClient httpClient = HttpClients.custom()
.disableCookieManagement()
.build();
Unirest.setHttpClient(httpClient);
adding headers to my Unirest api
Predicate<? super Map.Entry<String, List<String>>> prdct = (key) ->{
return key.getKey().equals("Set-Cookie");
};
final String jSessionID = asJson.getHeaders().entrySet().stream().filter(prdct).findFirst().get().getValue().get(0);
System.out.println("jsession id "+jSessionID.split(";")[0]);
Unirest.setDefaultHeader("Cookie", jSessionID.split(";")[0]);
Unirest.setDefaultHeader("authorization", "Basic " + value);
Unirest.setDefaultHeader("Content-Type", "application/json");
But even with this I m still getting a denial of service from my server show in the head of the answer of my next request:
{"timestamp":"2018-04-25T21:35:32.659+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/user/1"}
What should I do ?
csrf being active was the issue When I deactivated the CSRF by uncommenting the server config this works fine so I did search for a demo app were csrf stay active and I found this