1. 首頁
  2. 問答
  3. 春季4.3我如何做CSRF實施?

春季4.3我如何做CSRF實施?

2017-04-24 77 views
1

我是新來的彈簧框架工作& java。但是我知道laravel框架&用laravel來做CSRF實現並且工作正常。春季4.3我如何做CSRF實施?

如何在春季4.3做CSRF實施?

我稱爲文檔從下面的鏈接

https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html

在這裏,我顯示我的樣本代碼

的web.xml

<web-app id = "WebApp_ID" version = "2.4" 
    xmlns = "http://java.sun.com/xml/ns/j2ee" 
    xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation = "http://java.sun.com/xml/ns/j2ee 
    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 

    <display-name>Sample</display-name> 

    <servlet> 
     <servlet-name>dispatcher</servlet-name> 
     <servlet-class> 
     org.springframework.web.servlet.DispatcherServlet 
     </servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>dispatcher</servlet-name> 
     <url-pattern>/</url-pattern> 
    </servlet-mapping> 
</web-app>

調度-servlet.xml中

<?xml version='1.0' encoding='UTF-8' ?> 
<beans xmlns = "http://www.springframework.org/schema/beans" 
    xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:context = "http://www.springframework.org/schema/context" 
    xmlns:mvc = "http://www.springframework.org/schema/mvc" 
    xsi:schemaLocation = "http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.3.xsd 
    http://www.springframework.org/schema/mvc 
    http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd 
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context-4.3.xsd"> 

    <context:component-scan base-package = "com.controllers" /> 

    <bean class = "org.springframework.web.servlet.view.InternalResourceViewResolver"> 
     <property name = "prefix" value = "/WEB-INF/jsp/" /> 
     <property name = "suffix" value = ".jsp" /> 
    </bean> 
    <mvc:annotation-driven/> 
</beans>

PageController.java

package com.controllers; 

import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 
import org.springframework.stereotype.Controller; 
import org.springframework.web.bind.annotation.RequestMapping; 
import org.springframework.web.bind.annotation.RequestMethod; 
import org.springframework.web.bind.annotation.ResponseBody; 

@Controller 
public class PageController 
{ 
    @RequestMapping(value = "/login", method = RequestMethod.GET) 
    public String ShowIndexPage() 
    { 
     return "Login"; 
    } 

    @RequestMapping(value = "/LoginAuth", method = {RequestMethod.GET,RequestMethod.POST}) 
    @ResponseBody 
    public String LoginAuth(HttpServletRequest HTTPRequest, HttpServletResponse HTTPResponse) 
    { 
     return "LoginAuth"; 
    } 
}

WebSecurityConfig.java

package com.controllers; 

import org.springframework.security.config.annotation.web.builders.HttpSecurity; 
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; 
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; 

@EnableWebSecurity 
public class WebSecurityConfig extends 
     WebSecurityConfigurerAdapter { 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.csrf(); 
    } 
}

我在Login.jsp頁面文件頭添加CSRF令牌

<!DOCTYPE html> 
<html> 
    <head> 
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 
     <title>Welcome to Spring Web MVC project</title> 
     <meta name="_csrf" content="${_csrf.token}"/> 
     <meta name="_csrf_header" content="${_csrf.headerName}"/> 
     <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script> 
    </head> 
    <body> 
     <div class="LoginPanel"> 
      <form role="form" action="LoginAuth"> 
       <input value="sample" type="text" name="Username" class="form-control" data-parsley-type="alphanum" placeholder="Username" required/> 
       <button type="button" class="btn-block Signin btn btn-labeled1 btn-warning"> 
        Sign in 
       </button> 
      </form> 
     </div> 
     <script> 
     $(document).ready(function() 
     { 
      var Form = $(".LoginPanel").find("form"); 
      $(".LoginPanel").find("button.Signin").click(function(Event) 
      {  
       Event.preventDefault(); 
       $.ajax(
       { 
        type: "POST", 
        url: "LoginAuth", 
        data: Form.serialize(), 
        beforeSend: function (xhr,settings) 
        { 
         var CSRFToken = $("meta[name='_csrf']").attr("content");console.log(CSRFToken); 
         var CSRFHeader = $("meta[name='_csrf_header']").attr("content");console.log(CSRFHeader); 
         xhr.setRequestHeader(CSRFHeader, CSRFToken); 
        }, 
        success: function(ResponseData, textStatus, jqXHR) 
        { 
         console.log(ResponseData);alert("success"); 
        }, 
        error: function(jqXHR, textStatus, errorThrown) 
        { 
         console.log("Error"); 
        } 
       }); 
      }); 
     }); 
     </script> 
    </body> 
</html>

項目結構(在NetBeans)

enter image description here

項目建設&沒有錯誤 然後運行我查看網頁源從瀏覽器(login.jsp的)代碼

<meta name="_csrf" content=""/> 
<meta name="_csrf_header" content=""/>

這些領域仍然是空

來源

2017-04-24 user2214646

+0

沒有安全過濾器,因此沒有安全將被應用。 –

回答

0

檢查你的春季安全配置CSRF如如下:

<http> 
    <!-- ... --> 
    <csrf token-repository-ref="tokenRepository"/> 
</http> 
<bean id="tokenRepository" 
    class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"> 
    <property name="sessionAttributeName" valud="_csrf"/> 
    <property name="sessionAttributeName" valud="_csrf_header"/> 
</bean>

此外,您可以實現您的自定義CookieCsrfToekRepository。

簡單彈簧security.xml文件:

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

    <http auto-config="true"> 
     <intercept-url pattern="/admin**" access="ROLE_USER" /> 
     <form-login 
      login-page="/login" 
      default-target-url="/welcome" 
      authentication-failure-url="/login?error" 
      username-parameter="username" 
      password-parameter="password" /> 
     <logout logout-success-url="/login?logout" /> 
     <!-- enable csrf protection --> 
     <csrf token-repository-ref="tokenRepository"/> 
    </http> 

<bean id="tokenRepository" 
    class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"> 
    <property name="sessionAttributeName" valud="_csrf"/> 
    <property name="sessionAttributeName" valud="_csrf_header"/> 
</bean> 

    <authentication-manager> 
     <authentication-provider> 
      <user-service> 
      <user name="user" password="123456" authorities="ROLE_USER" /> 
      </user-service> 
     </authentication-provider> 
    </authentication-manager> 

</beans:beans>

來源

2017-04-24 06:11:51 M2E67

+0

在哪裏添加這些配置? 'dispatcher-servlet.xml'? – user2214646

+0

在spring安全xml文件裏面通常有名字spring-security.xml – M2E67

相關問題

 相關問題