當CSRF Spring Security的支持，拒絕訪問403

Question

在我的Spring應用在春季安全配置文件時，CSRF是使 (<security:csrf/>)

，並試圖提交登錄表單，然後訪問被拒絕403頁出現（或）

(Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.)異常（當訪問拒絕處理程序不存在時）

「但是，如果我在spring安全性配置文件中未啓用CSRF，那麼一切工作都很完美。」

這裏我的代碼時，CSRF使

的pom.xml（所有版本）

<properties> 
    <spring.version>3.2.8.RELEASE</spring.version> 
    <spring.security.version>3.2.3.RELEASE</spring.security.version> 
    <jstl.version>1.2</jstl.version> 
    <mysql.connector.version>5.1.30</mysql.connector.version> 
</properties> 

彈簧security.xml文件

<security:http auto-config="true" use-expressions="true"> 

    <security:intercept-url pattern="/login" access="permitAll"/> 
    <security:intercept-url pattern="/**" access="isAuthenticated()"/> 

    <!-- access denied page --> 
    <security:access-denied-handler error-page="/403"/> 

    <security:form-login 
     login-page="/login" default-target-url="/loginSuccess" authentication-failure-url="/loginError?error"/> 

    <!-- enable csrf protection--> 
    <security:csrf/>  
</security:http> 

<!-- Select users and user_roles from database --> 
<security:authentication-manager> 
    <security:authentication-provider> 
     <!--<security:jdbc-user-service data-source-ref="dataSource" 
        users-by-username-query="select username,password, enabled from registration where username=?" 
        authorities-by-username-query="select username, role from registration where username=?"/> --> 
     <security:user-service> 
      <security:user name="test" password="test" authorities="ROLE_USER" /> 
      <security:user name="test1" password="test1" authorities="ROLE_ADMIN" /> 
     </security:user-service>    
    </security:authentication-provider> 
</security:authentication-manager> 

控制器

@Controller 
public class MainController { 

    @RequestMapping(value={"/login"}) 
    public ModelAndView loginPage(){ 

     ModelAndView model = new ModelAndView("login"); 
     return model; 
    } 

    @RequestMapping(value={"/loginSuccess"},method=RequestMethod.POST) 
    public ModelAndView loginSuccess(Principal principal,HttpServletRequest request,HttpSession session){ 

     ModelAndView model = new ModelAndView("success"); 

     //Testing....... 
     String name = principal.getName(); 
     model.addObject("username", name); 

     session = request.getSession(); 
     session.setAttribute("USER", "system"); 

     return model; 
    } 

登錄.jsp

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 
<%@ page language="java" import="java.util.*" pageEncoding="ISO-8859-1"%> 
<%@page session="true"%> 
<% 
String path = request.getContextPath(); 
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; 
%> 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 
<html> 
    <head> 
    <base href="<%=basePath%>"> 

    <title>login Page</title> 

    <!-- <meta http-equiv="pragma" content="no-cache"> 
    <meta http-equiv="cache-control" content="no-cache"> 
    <meta http-equiv="expires" content="0">  
    <meta http-equiv="keywords" content="keyword1,keyword2,keyword3"> 
    <meta http-equiv="description" content="This is my page"> 

    <link rel="stylesheet" type="text/css" href="styles.css"> 
    --> 

    </head> 

    <body onload='document.loginForm.username.focus();'> 

     <h1>Spring Security Login Form (Database Authentication)</h1> 

    <div> 
     <h3>Login with Username and Password</h3> 

     <c:if test="${not empty error}"> 
      <div>${error}</div> 
     </c:if> 

     <form name="loginForm" action="j_spring_security_check" method="post"> 

      <table> 
       <tr> 
        <td>Username</td> 
        <td><input type="text" name=j_username></td> 
       </tr> 
       <tr> 
        <td>Password</td> 
        <td><input type="password" name=j_password></td> 
       </tr> 
       <tr> 
        <td colspan='2'><input name="submit" type="submit" 
         value="submit" /></td> 
       </tr> 

      </table> 
       <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 
     </form> 
    </div> 
    </body> 
</html> 

403.jsp

<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> 
<html> 
<body> 
    <h1>HTTP Status 403 - Access is denied</h1> 

    <c:choose> 
     <c:when test="${empty username}"> 
      <h2>You do not have permission to access this page!</h2> 
     </c:when> 
     <c:otherwise> 
      <h2>Username : ${username} <br/>You do not have permission to access this page!</h2> 
     </c:otherwise> 
    </c:choose> 

</body> 
</html> 

輸出：

HTTP Status 403 - Access is denied 

Username : ${username} 
You do not have permission to access this page! 

請幫助。

解決方案

控制器：

@RequestMapping(value={"/","/loginSuccess"},method=RequestMethod.GET) 
public ModelAndView loginSuccess() 

的web.xml

<welcome-file-list> 
     <welcome-file>login.jsp</welcome-file> 
    </welcome-file-list> 

由於默認頁

Answer 1

我認爲一旦你提交你正在做一個Ajax請求表格。在這種情況下，您必須在標頭中傳遞csrf標記。

類似，

var token = $("meta[name='_csrf']").attr("content"); 
var header = $("meta[name='_csrf_header']").attr("content"); 
var headers ={}; 
headers[header]=token; 
var headerObj = {}; 
headerObj['headers']=headers; 
$http.post("http://xyz",request,headerObj); 

爲了使CSRF只對特定的網址，你可以做這樣的事情

@EnableWebSecurity 
@Configuration 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.csrf().requireCsrfProtectionMatcher(new RequestMatcher() { 

      @Override 
      public boolean matches(HttpServletRequest request) { 
       return request.getServletPath().contains("/xyz"); 
      } 
     }); 
    } 
}