AngularJS with Spring Security and CSRF Token
I was recently working on an AngularJS application with Spring Security. We needed to implement Cross Site Request Forgery protection.
For more about this type of attack, take a look at the explanation on the open web application security project.
By default AngularJS provides a mechanism to implement Cross Site Request Forgery, however this mechanism works with cookies only. Since Spring Security works by setting a token as an HTTP parameter, the out of the box solution AngularJS provides wouldn’t work. There are several posted discussions about how to implement CSRF with Spring Security within single page applications. While reading these solutions, I discovered a simple AngularJS interceptor that did the trick.
As mentioned in the documentation, the spring-security-csrf-token-interceptor works by making a head call to receive the X-CSRF-TOKEN, it then stores this token and sends it out with every http request.