How to use CSRF?

[Deleted user]

Was wondering if you could clarify how to use the CSRF protection in PAC4J with Javalin? I've fiddled around with it and, although I'm not getting any errors, it doesn't seem to be adding the protection either. From my understanding we'd first need to register an authorizer here

val config = Config(clients)
config.addAuthorizer("csrf", CsrfAuthorizer("X-CSRF-TOKEN","X-CSRF-TOKEN"))
return config

I then assumed we would need to set up a security handler which used the relevant client and authorizer i.e.

val handler = SecurityHandler(config,"FacebookClient","csrf")

Then use that in a before handler.

Problem is, I am getting a pac4j CSRF token cookie back so it is definitely doing something but equally it is not stopping me sending a form with no csrf token via post so I obviously don't understand how to integrate this.

Might be really useful for other people to add an example of this to the JavalinPac4jExample

[leleuj]

Normally, you don't have anything to do. With pac4j v4, by default, the matchers are "securityHeaders,csrfToken" (http://www.pac4j.org/docs/matchers.html) which means a CSRF token is generated (saved in request, session and cookie). And by default, the authorizers are "csrfCheck" which means that each POST request must contain the CSRF token (http://www.pac4j.org/docs/authorizers.html).

So you need to take the CSRF token from the request or cookie and add it to the POST form.