Principal is null when CSRF disabled - spring-security

I'm creating a webapp that uses spring-boot-starter-security and spring-security-oauth2 to use Facebook for login.
To avoid implementing all that CSRF-stuff in angular 2 (and because it's just a toy project) I want to turn off CSRF.
I have implemented the following configuration:
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
But now the Principal-Object is always null:
Task createTask(#RequestBody Task task, Principal principal) {
// do stuff
}
Why?
I guess I unintentionally overwrite the security config configured in my application.yaml, but even if I add an Order-Annotation it doesn't work :(
Edit:
Request headers (I created a Filter to add a XSRF-TOKEN cookie, ignore that):
POST /foo HTTP/1.1
Host: localhost:81
Connection: keep-alive
Content-Length: 15
Origin: http://localhost:81
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://localhost:81/create-task
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: _ga=GA1.1.681162454.1458756836; JSESSIONID=F65FB28C14A8A2D870D18842DE855212; XSRF-TOKEN=551858ab-678e-4dcb-bc72-44fbc569ec41

Related

DART HttpRequest does not provide authorization header for CORS OPTIONS request

I try to do a POST request with HttpRequest (dart:html) to call a rest service secured with basic authentication.
HttpRequest request = new HttpRequest(); // create a new XHR
var url = "http://localhost:8082/xyz";
request.open("POST", url, async: false); // POST the data to the server
String username = "foo";
String password = "bar";
final auth = CryptoUtils.bytesToBase64(UTF8.encode("$username:$password"));
request.setRequestHeader('authorization',"Basic $auth");
request.setRequestHeader('content-type',"application/json");
request.setRequestHeader("accept", "application/json");
String jsonData = '{"language":"dart"}'; // etc...
request.send(jsonData); //exception 401 Unauthorized
Before performing the POST call the OPTIONS call is performed (issued by dart:html) without the authorization header. This leads into an 401 Unauthorized response.
Request header:
Accept:*/*
Accept-Encoding:
gzip,deflate,sdch
Accept-Language:
en-US,en;q=0.8
Access-Control-Request-Headers:
authorization, content-type, accept
Access-Control-Request-Method:
POST
Cache-Control:
max-age=0
Connection:
keep-alive
Host:
localhost:8082
Origin:
http://localhost:63342
Referer:
http://localhost:63342/dart_client/test/all_test.html
User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.0 (Dart) Safari/537.36
Reponse header:
Content-Length:
0
Date:
Mon, 02 Feb 2015 23:33:58 GMT
Server:
Jetty(9.2.7.v20150116)
WWW-Authenticate:
basic realm="xyzrealm"
Is there a way to provide the authorization header to the OPTIONS call?
Any suggestions would be great. Thanks
The OPTIONS request is made by the browser automatically and you can't modify that request. The server needs to allow the OPTIONS preflight request without authentication.
See http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0
The user credentials are excluded.

Response Permanent Redirect in MVC not issuing 301 or changing URL

I am converting an old ASP.NET web forms site to ASP.NET MVC 5. I would like to issue permanent redirects for the old page URLs.
Here is what I have done -
RouteConfig.cs:
routes.MapRoute("About_old",
"About/About.aspx",
new { controller = "Home", action = "About_old" });
HomeController.cs:
public ActionResult About_old()
{
return new RedirectResult("/About", true);
// I've also tried
// return RedirectToActionPermanent("About");
// return RedirectPermanent("/About");
}
All attempts load the correct /About view, however the URL does not change, and I do not see a 301 code in the response. In other words, the URL is "localhost/About/About.aspx" and I expect it to be "localhost/About"
Complete Request/Repsonse from Chrome:
Request URL:http://localhost:55774/About/About.aspx
Request Method:GET
Status Code:200 OK
Request Headers
GET /About/About.aspx HTTP/1.1
Host: localhost:55774
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Response Headers
Cache-Control:private
Content-Encoding:gzip
Content-Length:2284
Content-Type:text/html; charset=utf-8
Date:Sat, 01 Mar 2014 18:10:41 GMT
Server:Microsoft-IIS/8.0
Vary:Accept-Encoding
X-AspNet-Version:4.0.30319
X-AspNetMvc-Version:5.1
X-Powered-By:ASP.NET
Nowhere do I see a 301 and the URL does not change. I have to think this has to do with how I am mapping the route of the old aspx page in RouteConfig.cs as all action methods have the same results. NOTE I have put a solution using global.asax below, however I would prefer it to work as I am attempting above, so I have not accepted my answer.
Am I doing something wrong or just missing something? How do I get the 301 to issue and URL to change?
Here is my solution (Global.asax)
protected void Application_PreRequestHandlerExecute(Object sender, EventArgs e)
{
string currentUrl = HttpContext.Current.Request.Path.ToLower();
if (currentUrl.EndsWith("/about/about.aspx"))
{
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", "/About");
Response.End();
}
}
From answer here: Global 301 redirection from domain to www.domain

Does HttpServer handle the same request twice?

Trying to set up a simple Dart HttpServer:
import 'dart:io';
void main() {
HttpServer.bind(InternetAddress.ANY_IP_V4, 80).then((server) {
server.listen((HttpRequest request) {
request.response.write('Hello, world.');
request.response.close();
print(new DateTime.now());
print(request.connectionInfo.remoteAddress);
print(request.method);
print(request.headers.toString());
print("--------------");
});
});
print("listing....");
}
When hitting localhost from a browser (Chrome), it appears as if the incoming request is handled twice:
listing....
2013-11-07 15:19:24.478
InternetAddress('127.0.0.1', IP_V4)
GET
host: localhost:80
connection: keep-alive
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
accept-encoding: gzip,deflate,sdch
accept-language: en-US,en;q=0.8
--------------
2013-11-07 15:19:24.554
InternetAddress('127.0.0.1', IP_V4)
GET
host: localhost:80
connection: keep-alive
accept: */*
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
accept-encoding: gzip,deflate,sdch
accept-language: en-US,en;q=0.8
--------------
Those two requests look almost identical, except for the accept header. Doesn't look like the browser is firing up the request twice:
So, why does the request get handled twice?
EDIT: Dart SDK version 0.8.10.6_r30036
You don't output what is requested (the url member of the request instance) and that is the difference between the two requests.
The first request requests the file you try to open, probably /. The second request is issued internally by the browser and requests favicon.ico to display the icon in the address bar / tab title.

Angular HTTP Post using CORS works behind the scene, but doesn't "succeed"

I'm working on an AngularJS project, and I need to perform a cross-domain (CORS) POST.
It took me a (long) while to get it working, and well, it now sort of work:
The pre flight (OPTIONS) request is sent correctly, and my server
responds to it correctly as well.
The actual POST request is sent
correctly as well, my server receives it all right, and returns a 201
(created) response as it should.
So what is the problem?
Well the Angular $http object doesn't then go to the "success" callback, but to the "error" callback instead... with a status code of 0 and no specific error.
So from my page, I have no way to know if my request actually worked. The only way I know that it does work is by controlling (debugging) the server and using Fiddler.
Did anybody run into this problem before? It's a bit frustrating to have a working solution but not being able to tell that it actually worked :)
Here is my $http request:
this.simulate = function (url, content) {
var deferred = $q.defer();
var data = { "Data": content, "Timestamp": new Date() };
$http.defaults.useXDomain = true;
$http.post(url, data)
.then(function(response) {
deferred.resolve({
isSuccess: true,
httpCode: response.status,
errorMessage: "",
url: url,
data:data
});
},function(response) { // This is this error callback that is being called, despite the fact that my request is working fine...
deferred.resolve({
isSuccess: false,
httpCode: response.status,
errorMessage: response.data.Message + " " + response.data.ExceptionMessage,
url: url,
data: data
});
});
return deferred.promise;
};
In fiddler, this is what I get:
The pre-flight request:
OPTIONS http://myServer:82/xclient/event/volupdate HTTP/1.1
Host: myServer:82
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://myClient:1855
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Access-Control-Request-Headers: accept, origin, x-requested-with, authorization, ssotoken, content-type
Accept: */*
DNT: 1
Referer: http://myClient:1855/XClient/testharness/eventing
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr-FR;q=0.4
Which gives me that pre-flight response:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
Access-Control-Allow-Origin: http://myClient:1855
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: accept, origin, x-requested-with, authorization, ssotoken, content-type
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 07 Aug 2013 10:13:05 GMT
Content-Length: 0
And then this is followed by the actual POST request:
POST http://myServer:82/xclient/event/volupdate HTTP/1.1
Host: myServer:82
Connection: keep-alive
Content-Length: 56
Origin: http://myClient:1855
Authorization: SSOB2L1ax<BLAHBLAHBLAH>EP49w=|0|jaussan|System X|20130825131712|1748001|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
DNT: 1
Referer: http://myClient:1855/XClient/testharness/eventing
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,fr-FR;q=0.4
{"Data":"SomeData","Timestamp":"2013-08-07T10:13:06.533Z"}
And then followed by a normal 201 created response to the POST:
HTTP/1.1 201 Created
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 07 Aug 2013 10:13:05 GMT
Content-Length: 0
As you can see everything seems normal, but yet $http seems to think it's not.
Here are a few screenshots from Firebug:
$http goes to the wrong callback:
And this is the response I'm getting from $http... not really my 201!:
It appears as if your server is handling the OPTIONS (preflight) request correctly, but not the actual POST request. Your server needs to at least include an Access-Control-Allow-Origin header in the response to your POST request. In your case, that would be: Access-Control-Allow-Origin: http://myClient:1855.
For future reference, there is an excellent article about CORS that everyone who has to support a cross-origin environment should absolutely bookmark: MDN on HTTP access control.

Model not getting values from POST request

I am trying to POST something to my Web API but not matter what I do the model values are always set to null.
I have tried the following request (trace copied from fiddler):
POST http://localhost:53176/api/Profile HTTP/1.1
Host: localhost:53176
Connection: keep-alive
Content-Length: 40
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://localhost:53176
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:53176/SignUp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ASP.NET_SessionId=do5ddqwghl3v0bhlgr3pyicb
{"InputEmail":"aa","UserName":"asd"}
Update
and also with the following:
POST http://localhost:53176/api/Profile HTTP/1.1
Host: localhost:53176
Connection: keep-alive
Content-Length: 44
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost:53176
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
Content-Type: application/json
Referer: http://localhost:53176/SignUp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ASP.NET_SessionId=do5ddqwghl3v0bhlgr3pyicb
{"InputEmail":"asdas","UserName":"dasd"}
My api looks like:
//here I have also tried [FromBody]
public MyDto Post(MyDto input)
{
return input;
}
MyDto has two properties and is:
public class MyDto
{
string InputEmail { get; set; }
string UserName { get; set; }
}
Would someone be able to tell me what is the problem in this code or if there is anything that I am missing?
I would also like to know how (or where) can I put the debugger somewhere inside webapi code to see what was the actual request before the webapi tries to deserialize it.
Your Content-Type header is application/x-www-form-urlencoded, but your body has json data. Modify your content-type header to be either application/json or text/json
EDIT:
Make your properties Public

Resources