skip to Main Content

i have dokerized spring boot + react deployed on aws ecs cluster and everything seems to work fine, but i am unable to get csrf token from cookies. I wanna point out, that this behavior happens only on aws, in production and not localy. I use localy the same function to get csrf token from browser cookies and it works perfect. So again localy spring boot sets token in cookies and react gets token without problem.

So why is that? has anyone encountered this issue? thanks  

This is the way how we get cookies from react/frontend app and itworks loacly just fine:

   import Cookie from 'js-cookie';
   const xsrfToken = await Cookie.get('XSRF-TOKEN');





 This is how i set header from spring boot application: 

     public class CsrfCookieFilter extends OncePerRequestFilter{
     @Override
      protected void doFilterInternal(HttpServletRequest request, 
      HttpServletResponse response, FilterChain filterChain) throws 
      ServletException, IOException {
      CsrfToken csrfToken = (CsrfToken)  
      request.getAttribute(CsrfToken.class.getName()); 

   response.setHeader(csrfToken.getHeaderName(), csrfToken.getToken()); 
    

    }
     filterChain.doFilter(request, response); 
    }
}

SecurityConfig of spring boot:

CsrfTokenRequestAttributeHandler requestHandler = new 
CsrfTokenRequestAttributeHandler();

requestHandler.setCsrfRequestAttributeName("_csrf");
http.sessionManagement(session -> 
session.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED))
.cors(corsCustomizer -> 
corsCustomizer.configurationSource(new CorsConfigurationSource()  {

 @Override
 public CorsConfiguration 
 getCorsConfiguration(HttpServletRequest request) {
 CorsConfiguration config = new CorsConfiguration();
                config.setAllowedMethods(Collections.singletonList("*"));
                config.setAllowCredentials(true);
                config.setAllowedOriginPatterns(Collections.singletonList("*"));
                config.setAllowedHeaders(Collections.singletonList("*"));
                config.setExposedHeaders(Arrays.asList("Authorization"));
                config.setMaxAge(3600L);
                return config;
            }

Initialy it was saying that ssl certificate is required so i created one for backend one for front.
And also csrf token was not set in cookies at all, but now its set. I can not say why is that…

2

Answers


  1. Chosen as BEST ANSWER

    I solved it by saving cookies in localstorage insteade of cookies.


Please signup or login to give your own answer.
Back To Top
Search