without csrf token -> attacker can make me do action that i didn't intend to do.
this is local page which is example of malicious.html -> if user clicks on this it will call our RestController /change because we are already logged in
but with crsf token
login page is generated by spring security -> put csrf token in the form body
we tried to access or request without crsf token -> spring security cannot know if it's same browser as you logged in
we can just add crsf toekn that spring made when calling /change -> this will let spring security recognize it is the same brower that you logged in.
by c.ignoringAntMatchers -> you can disable csrf feature in specific url
by implementing CsrfTokenRepository with defaultCrsfToken that spring give us we can manage csrf token manually
'WEB > Security' 카테고리의 다른 글
| Lesson 11 - OAuth 2 and Spring Security (0) | 2022.05.06 |
|---|---|
| Lesson 10 - (Cross-Origin Resource Sharing) CORS (0) | 2022.05.06 |
| Lesson 8 - The Security Context (0) | 2022.05.06 |
| Lesson 6 - Multiple Authentication Providers Part 1 ,2 (0) | 2022.05.05 |
| Lesson 5 - The filter chain (0) | 2022.05.05 |