springspring-bootspring-securitycsrf-protectionspring-social-facebook

What's the difference between authenticated() and csrf in Spring Security?


I have a web app built using ReactJS + Spring Boot/Social/Security.

I want to make sure when I release it, I'm protected from CSRF. I'm using most of Spring Security out of the box and below is my basic configure() override:

@Configuration
@Order (SecurityProperties.ACCESS_OVERRIDE_ORDER)
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
     http
             .authorizeRequests()
             .antMatchers("/login/facebook").permitAll()
             .antMatchers("/logout").permitAll()
             .antMatchers("/api/**").authenticated()
             .and().csrf().disable();
  }
}

My question is, since all of my (/api/**) requests to the backend are only allowed when authenticated, does this protect me from CSRF?

To be clear, when the user authenticates with Facebook via the Spring Social plugin, I redirect the call to an endpoint (/login/facebook) in my backend app to handle a successful login. In this method, I do the following:

UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(theUser.getFacebookId(), null, null);

SecurityContextHolder.getContext().setAuthentication(authentication);

This makes sure that any subsequent requests made to /api will be recognized as authenticated.


Solution

  • Authentication is the act or process of confirming that someone claims to be who he or she is.

    Owasp: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

    The difference is that authentication is a confirmation process but CSRF is an attack that take advantages of authenticated users because forces to a web applications to make a transaction that in fact comes from an already authenticated users but the user doesn't even know that the evil transaction has been made. This is a very normal use case for CSRF attack:

    1. User go to mybank.com
    2. User fill username and password and press login button (authentication)
    3. mybank.com shows a welcome page and list the options to make money transfer
    4. User see an unusual popup to visit a very cool site for cool pictures, and click the popup message (maybe a xss attack)
    5. User return to mybank.com and see that a new money transfer has been made and a withdraw for $$$$ is completed successfully (csrf attack that comes from evil popup of cool pictures click)

    What I try to say is that authentication doesn't mitigate the CSRF vulnerabilites. There are different ways to avoid CSRF vulnerabilites using spring go to Spring documentation to get very helpful information of how configure CSRF and mitigate this vulnerability. Spring Security CSRF attack, and if you want to know more about CSRF go to OWASP site OWASP CSRF attack

    Some examples of how to avoid CSRF:

    1. List all the critical actions that a user can do, for example change password, money transfer, send massive message, delete rows and so on and use a double authentication process for example asks to the user questions that only the user knows, favorite food, father second name, usually the kind of questions that the user has to fill at the signup process. Ask the questions before the action is made in order to confirm with double authentication.
    2. Use a security token per every http request and that token should be validated for your application, it avoids that an evil site send you valid request because evil site doesn't know what is the token number.