[Owasp-csrfguard] Access Restful Service which is OWASP CSRFGuard protected from Different Domain's Angular Page

Suman Deb Roy suman.debroy at gmail.com
Thu Apr 23 03:55:52 UTC 2015


Hi Team,

I have been trying to access a restful service which is CSRF protected from
a different domain.

http://stackoverflow.com/questions/29218790/access-restful-service-which-is-owasp-csrfguard-protected-from-different-domain


   1.

   My application has been built using SPRING MVC and I have exposed few
   Restful URIs.*(Working Fine)* e.g - http://example.org/alert/alerts //get
   list of Alerts for the logged in user.
   2.

   I have configured the application for Cross Site Request Forgery (CSRF)
   using OWASP CSRFGuard by following the link - *(Working Fine)*
   https://www.owasp.org/index.php/CSRFGuard_3_Configuration#Overview
   3.

   The Restful services is currently been consumed by the same
   application's UI without having any issues. *(Working Fine)* e.g - A
   data Grid which is part of the same WebApp is displaying list of Alerts by
   calling this Restful service (AJAX request)
   4.

   *Issue*: When I try to access the same Restful services from a different
   domain's HTML/*Angular JS Page* , it's doesn't return any data except
   for 302.
   5.

   If I set The "unprotected pages" property in csrfguard.properties for
   the restful URIs, I am able to access the Restful service from
   RestClient/different domain.
   6.

   I also have enabled CORS at my server so that client which is at a
   different domain can access my REST URIs.

Please suggest if I need to do any other configuration so that the same
Restful services which are protected by CSRF can be accessed from a
different domain/Chrome rest Client.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20150423/d3b8d59b/attachment.html>


More information about the Owasp-csrfguard mailing list