Current Project Details
The ongoing project involves developing a single-page Angular JS application using SpringBoot with a Spring Security implementation. The application, known as 'Study Planner', allows students to input their study leave on a calendar. Progress has been made on enabling students to log in and enter details client-side.
Development Focus
Currently, the main focus is on capturing the added events in our client-side JavaScript and sending them back to the server using an Ajax POST request. The goal is to then store this data in the database tied to the student, enabling it to be retrieved when the student accesses the calendar in the future.
Challenges Faced
The primary challenge encountered revolves around the Ajax POST method, specifically due to the inclusion of a CSRF header in an attempt to bypass Spring Security. When the csrf header is absent, a 403 (unauthorized) error is triggered. However, upon introducing the csrf header, no network traffic is recorded, the server is not contacted, and the "error" function in the Ajax call is activated.
Issue with CSRF Token
https://i.sstatic.net/pDq7z.jpg
- Student Logs in to their Calendar
- Student adds an event
- 'newEventData function' alert triggered
- 'we failed' alert triggered
403 Error in Chrome
403 (Forbidden) "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'."
Resolution Attempts
https://i.sstatic.net/7vB9C.jpg
Despite adapting documentation from Spring to include the csrf token within 'beforesend', the issue remains. The same outcome occurs if the function from the docs is simply appended at the end of the JavaScript file.
- Student Logs in to their Calendar
- Student adds an event
- 'newEventData function' alert triggered
- 'beforesend' alert triggered
- 'we failed' alert triggered
Error thrown
SyntaxError: Failed to execute 'setRequestHeader' on 'XMLHttpRequest': '$(_csrf.headerName}' is not a valid HTTP header field name.
Seeking Assistance
- How can more detailed information about the Ajax error be obtained?
- What might be causing the absence of network traffic despite the Ajax call resulting in an error?
- Any recommendations for configuring Spring Security to mitigate this issue, aside from disabling it completely?
Additional Information
- The WebSecurityConfigAdapter has been extended
...Code snippet here...- Extension of 'OncePerRequestFilter' implemented (However, no System Outs are printed during the Ajax POST)
...Code snippet here...- The method being targeted is not being accessed when the csrf security is active within HttpSecurity
...Code snippet here...Apologies for the lengthy description, but the issue has been challenging, especially given the complex nature of web application security. Any guidance or suggestions on resolving this dilemma would be highly appreciated.
Thank you, Scott.
Update on Error Handling
Following the inclusion of error parameters as suggested by Paqman, additional information has been gathered, yet the resolution strategy remains uncertain.
SyntaxError: Failed to execute 'setRequestHeader' on 'XMLHttpRequest': '${_csrf.headerName}' is not a valid HTTP header field name.
https://i.sstatic.net/keejZ.jpg
When inspecting the chrome console, it seems that these values are being treated as text variables. Is this the incorrect approach? https://i.sstatic.net/4vrKB.jpg
Within index.html, the code snippet within the header section is as follows:
...Code snippet here...Additional Update
The issue concerning literal string problems was resolved by using 'th:content' instead of 'content', yet errors persisted regarding the undefined nature of the header/token. The actual solution to this problem has been shared, but for others facing similar challenges with accessing metadata in HTML files in an Angular project, changing 'content' to 'th:content' may prove beneficial.
View this related question
...Code snippet here...