I don’t understand why the csrf was disabled in the SecurityConfig? Our security team has pointed out that it should not be disabled in Security Config
If i will put all these codes into wordpress will it still work? I struggle to find a tutorial that could explain whole coding system behind it and i just want to secure my website
Using this workflow to protect your website is good. But there are other complements (like authentication, or even HTTPS). I'm not sure to understand what you want to do with Wordpress.
You need to share the session information between the servers. You can do it like this: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-YWVjnJsJRG0.html
Please help me! I have permitted all endpoints using permitAll(), but only GET methods are accessible, whereas POST methods return a FORBIDDEN error " You don't have permission to access this". If I disable CSRF in the SecurityFilterChain, then POST methods without parameters can be accessed, but if there are parameters, they still return a FORBIDDEN error
How do you access the POST endpoints? via Postman, a terminal or a browser? Because the CSRF needs to set a cookie to identify the session. If you use Postman or a terminal, this is not done by default.
Thanks for this. i have one question: how can i test my backend with postman if i have csrf enabled? i tried getting first csrf token, but when i make post call, the csrf token of server is anredy changed..
Hi, great video!! Although I still get the 403 Forbidden issue after implementing the same code as shown in video. I'm developing one angular library for which I have the Spring boot layer for all the back-end calls. I don't require the login security as it's already there for Main app, I just need the CSRF validation for api calls. Awaiting your response 😊
Hi,this was an amazing video on this subject.Havent seen anyone to explain how it works till now.Still i have one question remaining .From where can i learn about spring security in depth.Would be great if you can provide me some links for some resources.Thanks!
A token in the URL is a bad practice, as the URL can be easily be traced. I've already done a video about the Authentication with token and Angular at ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-YUqi1IjLX8I.html. About the send mail, it can be interesting, let me add it to my TODO list 😉
Why did you use here webMvcConfigurer? In other video you said to use Cors if we are using spring security: "If you use Spring Security, it's recommended to use this way instead of WebMvcConfigurer. This way, a CorsFilter is put in place which intercepts all the requests. With WebMvcConfigurer, not all the requests are intercepted, only those from the MVC Web."
Sorry, I don't have any article about that. What you have to do is make the frontend request the CSRF endpoint before each request. Nothing more The problem comes when you have several requests at the same time. I don't know how to handle this case.