Websocket Security CSRF error

[hanyou]

var csrfHeaderName = "${request._csrf.headerName}";

---

URI /example/index Class java.lang.NullPointerException Message Request processing failed; nested exception is org.grails.gsp.GroovyPagesException: Error evaluating expression [request._csrf.headerName] on line [34]: Cannot get property 'headerName' on null object Caused by Cannot get property 'headerName' on null object

[zyro23]

grails 3? plugin version? spring security 4? csrf enabled? sample app would be nice.

[hanyou]

grails3 , Spring Security Core Plugin3.0.0, Spring Websocket Grails Plugin 2.1.0 try your sample on the page

[hanyou]

Can you provide a whole demo with Grails3 , Spring Security Core Plugin3.0.0, Spring Websocket Grails Plugin 2.1.0 and Redis

[zyro23]

reg. this issue about csrf: spring-security-core plugin 3.0.0 does not currently enable csrf protection so no header required.

sample app (grails-3.1.0.m3, ssc-3.0.0, security, redis): https://github.com/zyro23/wssectest esp. commit: https://github.com/zyro23/wssectest/commit/af8a499cfc3ee70d1613ebc88858d59fb31b4117

• gradlew bootRun
• http://localhost:8080/example - subscribing/sending not allowed (check browser devtools and grails console outs)
• http://localhost:8080/login - user/user
• http://localhost:8080/example - subscribing and sending works

hth. id say this one can be closed - do you agree?

[hanyou]

thank you very much! but i did not find below websocket security javascript code in the example/index.gsp. how to use CSRF?

$(function() { var url = "${createLink(uri: '/stomp')}"; var csrfHeaderName = "${request._csrf.headerName}"; var csrfToken = "${request._csrf.token}"; var socket = new SockJS(url); var client = Stomp.over(socket); var headers = {}; headers[csrfHeaderName] = csrfToken; client.connect(headers, function() { // subscriptions etc. [...] }); });

[zyro23]

here is how it is configured in spring-security 4:

• java config: https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
• xml config: https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/http/CsrfBeanDefinitionParser.java

however, as i said, the grails spring-security-core plugin 3.0.0 does not currently enable csrf protection so no header required. if you want to enable it right now, you will likely have to do it manually (java config will probably not work because it is not used by grails ssc-3 and xml config i did not try at all). anyway explicit bean definitions is how the ssc plugin is configured afterall to provide flexibility in terms of allowing to override almost all relevant beans.

but be aware that if you enable csrf protection for you app, you will have to take care on a lot of places that the token is passed along correctly (core taglibs, dbconsole, plugins, etc.).

so maybe just raise an issue against grails-spring-security-core feature-requesting csrf support? @burtbeckwith is aware that this is currently not supported but hopes to enable it soon (likely also facing the problem that csrf support has to be supported in code that is not within the ssc plugin).