0

为了保护应用免受 CSRF 攻击,我们从服务器端设置了一个名为XSRF-TOKEN的 cookie。因此,我们可以从客户端代码设置cookie并发送到服务器,但是要在服务器端验证CSRF,我们需要在触发“POST”服务调用时发送标头。根据角度文档,$http 通过读取 cookie 自动设置标题X-XSRF-TOKEN(请参阅链接),但是尽管我们已将应用程序部署在同一域上,但 Javascript 代码无法读取 cookie。服务器端 cookie 生成代码和服务部署细节如下,

final Cookie newCookie = new Cookie(
"XSRF-TOKEN",
csrfValue);
newCookie.setPath("/");
httpResponse.addCookie(newCookie);

UI 部署在 8080 端口,服务部署在同一 VM 内的 8084 端口

4

1 回答 1

0

Port 8080 and 8084 are different origins, so you can't read cookies from one on the other, the same as you can't access the cookies of any other website in javascript running on yours.

How does the service authenticate the user? If it's token based, and the token is sent as a request header, you don't even need further protection from csrf.

于 2018-04-11T20:33:34.430 回答