小贝子编程

Spring 安全性 - 由于 CSRF 而拒绝访问



我正在使用 spring 安全性开发一个网站,我有一个不安全的页面"product/58",其中我有以下形式:

<form:form name="offerForm" id="offer" modelAttribute="offerProposal" action="/product/make/offer/" method="post" enctype="multipart/form-data">
     <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>         
    <form:input path="minPrice"/>
</form:form>

问题是,如果我登录并打开页面(我是经过身份验证的用户(,提交表单,Spring Security 会将我重定向到拒绝的控制器,并在日志中显示:

2018-03-22 19:09:42,679 DEBUG [user1_308 (21C272993EC9D1BD7085533415452657)] [https://localhost:8443/standard/resources/js/slick/ajax-loader.gif] [org.springframework.security.web.context.HttpSessionSecurityContextRepository] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@4193b3e0: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@4193b3e0: Principal: com.projectx.standard.services.user.model.CustomUserDetails@58c7c40: Username: user1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 7A5CB3F014A45BB6632A3503A7B23D02; Granted Authorities: ROLE_USER'
2018-03-22 19:09:42,680 DEBUG [user1_308 (21C272993EC9D1BD7085533415452657)] [https://localhost:8443/standard/resources/js/slick/ajax-loader.gif] [org.springframework.security.web.csrf.CsrfFilter] Invalid CSRF token found for https://localhost:8443/standard/product/make/offer/
2018-03-22 19:09:42,747 INFO [user1_308 (21C272993EC9D1BD7085533415452657)] [https://localhost:8443/standard/resources/js/slick/ajax-loader.gif] [com.projectx.standard.app.interceptor.LogInterceptor] [Start request] - ************* URL https://localhost:8443/standard/accessDenied/ *************

弹簧安全配置如下:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                           http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
                           http://www.springframework.org/schema/security 
                           http://www.springframework.org/schema/security/spring-security-4.2.xsd">
    <http pattern="/resources/css" security="none" />
    <http pattern="/resources/images" security="none" />
    <http pattern="/resources/js" security="none" />
    <global-method-security secured-annotations="enabled" />
    <beans:bean id="ajaxAwareLoginUrlAuthenticationEntryPoint" class="com.projectx.standard.app.handler.AjaxAwareLoginUrlAuthenticationEntryPoint">
        <beans:constructor-arg value="/login/" />       
    </beans:bean>
    <http use-expressions="true" disable-url-rewriting="true"  entry-point-ref="ajaxAwareLoginUrlAuthenticationEntryPoint">
        <access-denied-handler error-page="/accessDenied/" />
        <session-management>
            <concurrency-control expired-url="/login/" />
        </session-management>
        <logout logout-success-url="/" invalidate-session="true" logout-url="/logout" />
        <intercept-url pattern="/favicon.ico" access="permitAll"
            requires-channel="https" />
        <intercept-url pattern="/robots.txt" access="permitAll"
            requires-channel="https" />
        <intercept-url pattern="/product/make/offer/*" access="hasRole('ROLE_USER')" />
        <intercept-url pattern="/**" access="permitAll"
            requires-channel="https" />
        <!-- Set the login page and what to do if login fails -->
        <form-login login-page="/login/"
            authentication-failure-handler-ref="customAuthenticationFailureHandler"
            authentication-success-handler-ref="customAuthenticationSuccessHandler"
            username-parameter="j_username" 
            password-parameter="j_password"
            login-processing-url="/j_spring_security_check"
            always-use-default-target="false" />
        <remember-me data-source-ref="dataSource"
            remember-me-parameter="_spring_security_remember_me"
            remember-me-cookie="SPRING_SECURITY_REMEMBER_ME_COOKIE" />
    </http>
    <beans:bean id="customAuthenticationSuccessHandler"
        class="com.projectx.standard.app.handler.CustomAuthenticationSuccessHandler" />
    <beans:bean id="customAuthenticationFailureHandler"
        class="com.projectx.standard.app.handler.CustomAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/login/?error=true" />
    </beans:bean>
    <!-- Use a BCryptPasswordEncoder encoder since the user's passwords are 
        stored as BCryptPasswordEncoder in the database -->
    <beans:bean id="passwordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
    <authentication-manager>
        <authentication-provider user-service-ref="loginService">
            <password-encoder ref="passwordEncoder" />
        </authentication-provider>
    </authentication-manager>
</beans:beans>

这看起来像CSRF,但形式作为令牌。我能做些什么来解决这个问题?

谢谢

我想通了...如果我将 ?${_csrf.parameterName}=${_csrf.token} 添加到表单操作中,那么一切正常。

我不知道这是否是最好的方法,但它有效!

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium