Csrf Don't work when use NullSessionCache
ysogata opened this issue · 3 comments
NullSessionCacheとCSRFを同時に使うことができません。
これは、beforeハンドラでCSRFトークンをセッションから取得するときに、まだDataSourceが使えないからだと予測しています。
このため、POST/PUTリクエストがすべて403になってしまいます。
対処方法を教えて頂けませんでしょうか?
よろしくお願い致します。
NullSessionCache and CSRF cannot be used at the same time.
I predict this is because the DataSource is still not available when getting the CSRF token from the session in the before handler.
All POST/PUT requests will be 403.
Could you tell me how to deal with it?
Thank you.
Indeed, by design, the sent CSRF token (by you) is compared to the CSRF token saved in session. So you need a session.
@leleuj NullSession"Cache" use session. Not cache on server. I use session. Please see https://javalin.io/tutorials/jetty-session-handling
If you have a real session, it should work.
The default csrfToken matcher (https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/matching/matcher/csrf/CsrfTokenGeneratorMatcher.java#L36) retrieves the generated CSRF token in session and saves it in the request and in a cookie.
The default csrfCheck authorizer (https://github.com/pac4j/pac4j/blob/master/pac4j-core/src/main/java/org/pac4j/core/authorization/authorizer/CsrfAuthorizer.java#L41) checks the passed CSRF token against the one in session for a POST request.
Put breakpoints in these classes to see what's going on.