我正在Zuul后面运行OAuth2服务器。Zuul将用户转发到登录页面。Zuul还定义了以下httpsecurity:
@Override
public void configure(HttpSecurity http) throws Exception {
...
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
OAuth2服务器上的登录自由标记模板像这样解析CSRF令牌:
<from>
...
<input type="hidden" id="csrf_token" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
直到这里,一切都很好。否我包括了一个密码重置freemarker模板的链接:
<a href="/uaa/reset"><@spring.message "login.forgot"/></a>
以及以下WebMvcconFigurerAdapter配置:
@Configuration
public class OAuthWebFormConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/reset").setViewName("reset");
}
当我导航到重置视图时,我会收到以下错误:
: Servlet.service() for servlet [dispatcherServlet] in context with path
[/uaa] threw exception [Request processing failed; nested exception is
freemarker.core.InvalidReferenceException: The following has evaluated to
null or missing:
==> _csrf [in template "reset.ftl" at line 21, column 64]
Tip: If the failing expression is known to legally refer to something
that's sometimes null or missing, either specify a default value like
myOptionalVar!myDefault, or use <#if myOptionalVar??>when-
present<#else>when-missing</#if>. (These only cover the last step of the
expression; to cover the whole expression, use parenthesis:
(myOptionalVar.foo)!myDefault, (myOptionalVar.foo)??
FTL stack trace ("~" means nesting-related):
- Failed at: ${_csrf.parameterName} [in template "reset.ftl" at line 21,
column 62]
----] with root cause
freemarker.core.InvalidReferenceException: The following has evaluated to
null or missing:
==> _csrf [in template "reset.ftl" at line 21, column 64]
Tip: If the failing expression is known to legally refer to something that's
sometimes null or missing, either specify a default value like
myOptionalVar!myDefault, or use <#if myOptionalVar??>when-
present<#else>when-
missing</#if>. (These only cover the last step of the expression; to cover
the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault,
(myOptionalVar.foo)??
FTL stack trace ("~" means nesting-related):
- Failed at: ${_csrf.parameterName} [in template "reset.ftl" at line 21,
column 62]
有帮助吗?
修复程序是将重置视图添加到像这样的抗匹配者列表中:
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/console/**", "/reset").permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.requestMatchers()
.antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access", "/reset")
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
// @formatter:on
}
这样,Springs CsrfFilter
将启动并添加CSRF令牌作为请求属性。