<div dir="ltr">Hi Team,<div><br></div><div>I have been trying to access a restful service which is CSRF protected from a different domain. </div><div><br></div><div><a href="http://stackoverflow.com/questions/29218790/access-restful-service-which-is-owasp-csrfguard-protected-from-different-domain">http://stackoverflow.com/questions/29218790/access-restful-service-which-is-owasp-csrfguard-protected-from-different-domain</a></div><div><br></div><ol style="margin:0px 0px 1em 30px;padding:0px;border:0px;font-size:15px;font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;line-height:19.5px"><li style="margin:0px 0px 0.5em;padding:0px;border:0px;word-wrap:break-word"><p style="margin:0px 0px 1em;padding:0px;border:0px;clear:both">My application has been built using SPRING MVC and I have exposed few Restful URIs.<strong style="margin:0px;padding:0px;border:0px">(Working Fine)</strong> e.g - <a href="http://example.org/alert/alerts" rel="nofollow" style="margin:0px;padding:0px;border:0px;color:rgb(12,101,165);text-decoration:none">http://example.org/alert/alerts</a> //get list of Alerts for the logged in user.</p></li><li style="margin:0px 0px 0.5em;padding:0px;border:0px;word-wrap:break-word"><p style="margin:0px 0px 1em;padding:0px;border:0px;clear:both">I have configured the application for Cross Site Request Forgery (CSRF) using OWASP CSRFGuard by following the link - <strong style="margin:0px;padding:0px;border:0px">(Working Fine)</strong><a href="https://www.owasp.org/index.php/CSRFGuard_3_Configuration#Overview" rel="nofollow" style="margin:0px;padding:0px;border:0px;color:rgb(12,101,165);text-decoration:none">https://www.owasp.org/index.php/CSRFGuard_3_Configuration#Overview</a></p></li><li style="margin:0px 0px 0.5em;padding:0px;border:0px;word-wrap:break-word"><p style="margin:0px 0px 1em;padding:0px;border:0px;clear:both">The Restful services is currently been consumed by the same application's UI without having any issues. <strong style="margin:0px;padding:0px;border:0px">(Working Fine)</strong> e.g - A data Grid which is part of the same WebApp is displaying list of Alerts by calling this Restful service (AJAX request)</p></li><li style="margin:0px 0px 0.5em;padding:0px;border:0px;word-wrap:break-word"><p style="margin:0px 0px 1em;padding:0px;border:0px;clear:both"><strong style="margin:0px;padding:0px;border:0px">Issue</strong>: When I try to access the same Restful services from a different domain's HTML/<b>Angular JS Page</b> , it's doesn't return any data except for 302.</p></li><li style="margin:0px 0px 0.5em;padding:0px;border:0px;word-wrap:break-word"><p style="margin:0px 0px 1em;padding:0px;border:0px;clear:both">If I set The "unprotected pages" property in csrfguard.properties for the restful URIs, I am able to access the Restful service from RestClient/different domain.</p></li><li style="margin:0px 0px 0.5em;padding:0px;border:0px;word-wrap:break-word"><p style="margin:0px 0px 1em;padding:0px;border:0px;clear:both">I also have enabled CORS at my server so that client which is at a different domain can access my REST URIs.</p></li></ol><div><span style="font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:15px;line-height:19.5px">Please suggest if I need to do any other configuration so that the same Restful services which are protected by CSRF can be accessed from a different domain/Chrome rest Client.</span> </div></div>