POST API calls are not working with pac4j - csrfAuthorizer
365 views
Skip to first unread message
Swetha
Mar 31, 2020, 3:45:23 PM3/31/20
to Pac4j users mailing list
Hi,
In our application, we are using pac4j saml security, I'm getting the following exception when I'm trying to hit the POST API.
o.p.c.a.c.DefaultAuthorizationChecker: Checking authorizer: org.pac4j.core.authorization.authorizer.csrf.CsrfAuthorizer@3f9e0794 -> false
2020-03-28 00:19:58.566 DEBUG 16708 --- [ XNIO-1 task-35] o.p.core.engine.DefaultSecurityLogic : forbidden
I have gone through the csrfAuthorizer class, I found the following code in isAuthorized method, it is blocking us.
final boolean checkRequest = checkAllRequests || isPost(context) || isPut(context) || isPatch(context) || isDelete(context);
Could anyone please help me in fixing this issue ?
And we are generating JWT Tokens, and passing them in header for every API call.
Thanks in Advance
Regards,
Swetha
Jérôme LELEU
Apr 1, 2020, 3:12:48 AM4/1/20
to Swetha, Pac4j users mailing list
Hi,
Which version of pac4j do you use? I guess v4.
By default, a CSRF token is generated which should be sent for a POST request.
Either you disable the csrfCheck by setting the authorizers property to blank
or
you get the CSRF token from the request or cookie (pac4jCsrfToken) and send it along your POST request.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/dc5a10fd-0742-4eaa-8334-42a0cd5de3d6%40googlegroups.com.
Swetha
Apr 1, 2020, 4:39:06 AM4/1/20
to Pac4j users mailing list
Thanks for the quick reply. I tried adding security.enable-csrf = false in my application.properties but It didn't work.
We are sending Authorization = JWT Token in request headers.
How can I set authorizer to blank ? I'm not finding anything.
Thanks & Regards,
Swetha
On Wednesday, April 1, 2020 at 12:42:48 PM UTC+5:30, Jérôme LELEU wrote:
Hi,Which version of pac4j do you use? I guess v4.By default, a CSRF token is generated which should be sent for a POST request.Either you disable the csrfCheck by setting the authorizers property to blankoryou get the CSRF token from the request or cookie (pac4jCsrfToken) and send it along your POST request.Thanks.Best regards,Jérôme
Le mar. 31 mars 2020 à 21:45, Swetha <sswe...@gmail.com> a écrit :
Hi,--In our application, we are using pac4j saml security, I'm getting the following exception when I'm trying to hit the POST API.o.p.c.a.c.DefaultAuthorizationChecker: Checking authorizer: org.pac4j.core.authorization.authorizer.csrf.CsrfAuthorizer@3f9e0794 -> false2020-03-28 00:19:58.566 DEBUG 16708 --- [ XNIO-1 task-35] o.p.core.engine.DefaultSecurityLogic : forbiddenI have gone through the csrfAuthorizer class, I found the following code in isAuthorized method, it is blocking us.final boolean checkRequest = checkAllRequests || isPost(context) || isPut(context) || isPatch(context) || isDelete(context);Could anyone please help me in fixing this issue ?And we are generating JWT Tokens, and passing them in header for every API call.Thanks in AdvanceRegards,Swetha
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j...@googlegroups.com.
Swetha
Apr 1, 2020, 4:39:49 AM4/1/20
to Pac4j users mailing list
Using pac4j version 4
Jérôme LELEU
Apr 1, 2020, 6:31:25 AM4/1/20
to Swetha, Pac4j users mailing list
Hi,
Not this way.
You must disable the csrfCheck on the "security filter": which pac4j implementation do you use?
Thanks.
Best regards,
Jérôme
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/7436084f-0e92-42b6-9641-695bee9c8f50%40googlegroups.com.
Swetha
Apr 1, 2020, 6:42:29 AM4/1/20
to Pac4j users mailing list
Hi,
We are using SAML-Pac4j Authorization. I have attached my saml and security config files herewith.
Thanks,
Swetha
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/7436084f-0e92-42b6-9641-695bee9c8f50%40googlegroups.com.
Jérôme LELEU
Apr 1, 2020, 7:01:14 AM4/1/20
to Swetha, Pac4j users mailing list
Hi,
Do securityInterceptor.setAuthorizers(""); on the appropriate URL.
Thanks.
Best regards,
Jérôme
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/b5694d72-ab9c-4dd9-94c6-318d8b4af974%40googlegroups.com.
Swetha
Apr 1, 2020, 7:10:20 AM4/1/20
to Pac4j users mailing list
Hi,
Thank you so much. It's working fine. But I have a doubt, as setting blank to Authorizer, will it effect anything ?
Thanks & Regards,
Swetha
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/b5694d72-ab9c-4dd9-94c6-318d8b4af974%40googlegroups.com.
Jérôme LELEU
Apr 1, 2020, 9:42:01 AM4/1/20
to Swetha, Pac4j users mailing list
Hi,
Nothing more than the CSRF check.
Thanks.
Best regards,
Jérôme
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/2b55a265-3736-4978-80cc-a3b780601e11%40googlegroups.com.
Istvan Kozma
Jul 21, 2020, 7:58:01 AM7/21/20
to Pac4j users mailing list
Hi Jérôme,
I have the same issue, I receive 403 for the POST requests because of the csrf authorizer.
I do not want to disable it, so I started to debug, it seems to me that the CsrfTokenGeneratorMatcher sets the pac4jCsrfToken into request attributes (line 37),
and the CsrfAuthorizer (line 43) tries to retrieve it from request params or headers which of course will return nothing.
So it seems to me that the default implementation is not working, in order to make it work I need to write a custom authorizer. Am I right or did I misunderstood something? (I am using pac4j for Shiro v. 4.0.3)
Thank you!
Istvan
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/2b55a265-3736-4978-80cc-a3b780601e11%40googlegroups.com.
Elpidio Gonzalez
Jul 21, 2020, 8:34:38 AM7/21/20
to pac4j...@googlegroups.com
Hi Istvan,
From the documentation (https://www.pac4j.org/docs/authorizers.html)
> Since pac4j v4, if no authorizers are defined, the DefaultAuthorizationChecker applies the csrfCheck configuration.
From the documentation (https://www.pac4j.org/docs/authorizers.html)
> Since pac4j v4, if no authorizers are defined, the DefaultAuthorizationChecker applies the csrfCheck configuration.
You can check if any of the out-of-the box authorizers suits your needs, or, as you suggested, write your own.
Alternatively, If you want to use csrf, do as Jérôme says:
>you get the CSRF token from the request or cookie (pac4jCsrfToken)
and send it along your POST request.
Best Regards,
Elpidio Gonzalez
Elpidio Gonzalez
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/edeae359-21b7-43ae-8305-7dea5fe10d17o%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages