spring - CSRF token expires during login -

-

i'm working on spring web application , need avoid problem expire csrf token on login page, because if user waiting long , try login 1 way resolve problem csrf reload page , try login again. it's not user friendly , want avoid situation.

first question: possible in general(by spring security 3.2.4)? without disable csrf.

i tried use security="none" login page , spring seciruty "login_check", it's not working, got infinity redirect or got error no mapping url "myhost/login_check".

second question: how can it?

recommended solution

i should not disable csrf tokens on production site. may make session (and csrf token) last longer (but should not last longer day, not-logged-in users dos vector), real solution may automatically refresh login page when csrf token expires. may use a

<meta http-equiv="refresh" content="csrf_timeout_in_seconds">

in login page header. if user lets login page sit hours, should not bother him page got refreshed.

second solution

a possible solution not require store sessions allows infinite timeout can generate csrf tokens hashing session id , server-side secret:

csrf = hash(sessionid+secret)

note need dig , override spring-security internal mechanisms, namely:

  • re-creating anonymous sessions on fly if request arrives , no such session exists
  • re-creating csrf token on fly session id

and choose secure hashing algorithm, preferably sha-512.

third solution

you have small javascript calls no-op page on server regularly (just before session timeout), extending session. results in infinite session timeout if browser on time, dos aspect mitigated.

ok, 1 last solution

you can alter csrf token checking code, , disable login page. synonymous second solution, specific login page, not anonymous sessions.

you can e.g. setting custom requestmatcher in httpsecurity:

http.csrf().requirecsrfprotectionmatcher(new mycsrfrequestmatcher()); ... class mycsrfrequestmatcher implements requestmatcher {     @override     public boolean matches(httpservletrequest request) {         return !request.getservletpath().equals("/login");     } }

Comments

Post a Comment

Popular posts from this blog

java - Plugin org.apache.maven.plugins:maven-install-plugin:2.4 or one of its dependencies could not be resolved -

-
i getting error message , further 1 here: failed read artifact descriptor org.apache.maven.plugins:maven-install-plugin:jar:2.4: even though when go .m2 repository path c:\users\a591024.m2\repository\org\apache\maven\plugins\maven-resources-plugin\2.4 the maven-resources-plugin-2.4.jar file there , maven-resources-plugin-2.4.pom there. have tried delete .m2 repository no luck. far maven not build project desperately need to. any ideas? it seems proxy issue please aad following in setting.xml grabbing lan setting , proxy information. <proxies> <proxy> <id>proxy</id> <active>true</active> <protocol>http</protocol> <host>hostname</host> <port>port</port> </proxy> </proxies> this frequent issue, please see below link well. plugin org.apache.maven.plugins:maven-clean-plugin:2.5 or 1 of dependencies not resolved maven: failed ret...
Read more

Round ImageView Android -

-
Image
i working on android application in doing rounded image view. working fine images, images 160x120 resolution shows oval shaped. code custom imageview given below, please me out here: public class roundimage extends drawable { private final bitmap mbitmap; private final paint mpaint; private final rectf mrectf; private final int mbitmapwidth; private final int mbitmapheight; public roundimage(bitmap bitmap) { mbitmap = bitmap; mrectf = new rectf(); mpaint = new paint(); mpaint.setantialias(true); mpaint.setdither(true); final bitmapshader shader = new bitmapshader(bitmap, shader.tilemode.clamp, shader.tilemode.clamp); mpaint.setshader(shader); mbitmapwidth = mbitmap.getwidth(); mbitmapheight = mbitmap.getheight(); } @override public void draw(canvas canvas) { canvas.drawoval(mrectf, mpaint); } @override protected void onboundschange(rect bound...
Read more

How can I utilize Yahoo Weather API in android -

-
Image
i want develop app using yahoo weather api android. want current , forecast weather details. i have tried different sources (e.g.: https://github.com/survivingwithandroid/weatherlib , getting error weatherlib api android , unable execute activity in android weatherlib ) , getting different errors m unable resplve. there can proper tutorial or guide! error: -17 08:50:48.961 3168-3168/com.survivingwithandroid.weather e/androidruntime﹕ fatal exception: main process: com.survivingwithandroid.weather, pid: 3168 java.lang.runtimeexception: unable start activity componentinfo{com.survivingwithandroid.weather/com.survivingwithandroid.weather.mainactivity}: java.lang.nullpointerexception: attempt invoke interface method 'boolean java.util.list.isempty()' on null object reference @ android.app.activitythread.performlaunchactivity(activitythread.java:2298) @ android.app.activitythread.handlelaunchactivity(activitythread.java:2360) @ android.app.activi...
Read more