aditzel / spring-security-csrf-token-interceptor Goto Github PK

Interceptor currently does a HEAD on every POST, making it unnecessarily chatty. Update so that it caches value on initial load, then only when the token value changes.

The intercepter should allow to configure the XMLHttpRequest url in order to make it flexible to use.
I'm currently using an EAR project with two WARs inside, and only one is being developed with Angular JS and Spring Security and I can't set the url for the correct context.

Hi,

I followed the readme to configure the module but I'm getting an "Unknown provider: csrfProvider" error. I looked at the source and it doesn't seem to be creating any providers. Am I missing anything?

http://www.aspenrootsdevelopment.com/posts/AngularJS-HTTP-Service-Success-Handler-400-Response-Code-and-Interceptors/

The fix is using return $q.reject(response) on the responseError interceptor.

Hello,

When you install with bower the latest tagged version (0.1.5) is retrieved.
When I tried to run .configure with csrfProvider I get an error that this provider is not available. Which is correct, because it did not exist yet in 0.1.5.

When I manually try to retrieve 0.2.0 it says:

bower ENORESTARGET No tag found that was able to satisfy 0.2.0

Additional error details:
Available versions: 0.1.5, 0.1.4, 0.1.3, 0.1.2, 0.1.1, 0.1.0

I think the only thing you need to do is create a new tag?
Thanks!

Thank you for creating this utility.

I am using Spring Security 3.2 which has CSRF enabled by default. I was unable to see the CSRF tokens in the Chrome Dev Tools/ Console and so I added a filter to let the server send the CSRF tokens in header. (Not sure if creating filter is the right approach, as I did not see any other way to show the CSRF token in Chrome Dev Tools)

My problem is, for the landing page I am getting one CSRF token. After I authenticate and login to the application and make any other service call a new CSRF token is generated in response, but this code is intercepting the call only once in the beginning and the new CSRF token that was generated by the server after authentication is not being read anymore.

Hello,

I'm using your AngularJS interceptor and I got the following warning message when I debug in the browser (chrome).
"Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check http://xhr.spec.whatwg.org/. It refers to the line 29 in 'src/spring-security-csrf-token-interceptor.js' :
xhr.open('head', '/', false);

If I change false to true, the warning message disappears. I don't really understand it.

Do you know something about that ?

many thanks

After adding spring-security-csrf-token-interceptor to my application, Google geocoding stopped working with a "Cross-Origin Request Blocked" error message.

See https://github.com/masa67/spring-security-ng-cors.git for an example.