The difference on this fork is the use of status number 401
instead of 403
. Maybe one day we could make this an configurable option.
An AngularJS interceptor that will include the CSRF token header in HTTP requests.
It does this by doing an AJAX HTTP HEAD call to / by default, and then retrieves the HTTP header 'X-CSRF-TOKEN' and sets this same token on all HTTP requests.
spring-security-csrf-token-interceptor
also supports configuring the CSRF header name, number of retries allowed in-case of Forbidden errors, restrict adding the CSRF tokens to some HTTP types etc.
$ bower install spring-security-csrf-token-interceptor
$ npm install spring-security-csrf-token-interceptor
Include this as a dependency on your application:
angular.module('myApp', ['spring-security-csrf-token-interceptor']);
Use the configProvider
to customize the interceptor behavior. Check Configuration section for more details.
csrfProvider.config({});
The following options are available for configuring the interceptor,
Note: All these below configurations are optional.
-
options
(Object) - Options to customize the CSRF interceptor behavior. -
options.url
(String) - The URL to which the initial CSRF request has to be made to get the CSRF token. Default:\
. -
options.csrfHttpType
(String) - The HTTP method type which should be used while requesting the CSRF token call. Default:head
. -
options.maxRetries
(Number) - The number of retries allowed for CSRF token call in-case of 403 Forbidden response errors. Default:5
. -
options.csrfTokenHeader
(Array) - Set this option to add the CSRF headers only to some HTTP requests. Default:['GET', 'HEAD', 'PUT', 'POST', 'DELETE']
. -
options.csrfTokenHeader
(String) - Customize the name of the CSRF header on the requests. Default:X-CSRF-TOKEN
.
angular
.module('myApp', [
'spring-security-csrf-token-interceptor'
])
.config(function(csrfProvider) {
// optional configurations
csrfProvider.config({
url: '/login',
maxRetries: 3,
csrfHttpType: 'get',
csrfTokenHeader: 'X-CSRF-XXX-TOKEN',
httpTypes: ['PUT', 'POST', 'DELETE'] //CSRF token will be added only to these method types
});
}).run(function() {
});