I have a web app built using ReactJS + Spring Boot/Social/Security.
I want to make sure when I release it, I'm protected from CSRF. I'm using most of Spring Security out of the box and below is my basic configure() override:
@Configuration
@Order (SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login/facebook").permitAll()
.antMatchers("/logout").permitAll()
.antMatchers("/api/**").authenticated()
.and().csrf().disable();
}
}
My question is, since all of my (/api/**) requests to the backend are only allowed when authenticated, does this protect me from CSRF?
To be clear, when the user authenticates with Facebook via the Spring Social plugin, I redirect the call to an endpoint (/login/facebook) in my backend app to handle a successful login. In this method, I do the following:
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(theUser.getFacebookId(), null, null);
SecurityContextHolder.getContext().setAuthentication(authentication);
This makes sure that any subsequent requests made to /api will be recognized as authenticated.
Authentication is the act or process of confirming that someone claims to be who he or she is.
Owasp: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
The difference is that authentication is a confirmation process but CSRF is an attack that take advantages of authenticated users because forces to a web applications to make a transaction that in fact comes from an already authenticated users but the user doesn't even know that the evil transaction has been made. This is a very normal use case for CSRF attack:
What I try to say is that authentication doesn't mitigate the CSRF vulnerabilites. There are different ways to avoid CSRF vulnerabilites using spring go to Spring documentation to get very helpful information of how configure CSRF and mitigate this vulnerability. Spring Security CSRF attack, and if you want to know more about CSRF go to OWASP site OWASP CSRF attack
Some examples of how to avoid CSRF: