Spring: programmatically generate new csrf token
I am trying to make a webapp that will run on a single HTML page that will allow users to interact with the server via JavaScript and ajax. I would like my requests to be protected from csrf attacks, including the csrf token in every request.
Since my webapp will only run on one page, I cannot use the $ {_ csrf.token} syntax (or something similar) in the view, because the view will be a json object. Instead, I would like to have a URL like "/ security / csrf" that returns a token associated with the user's session. (Yes, it won't be a quiet service for sure.)
Is there a way for me to generate a csrf token that Spring Security can access when validating login? And furthermore, is there any downside to using csrf tokens this way?
source to share
The per request token will destroy the caching. The session token is also secure.
In your first html answer, include the csrf token in the meta tag, like the docs say: http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-include- csrf-token-ajax
You can use the same token in requests (in the same session)
source to share