如何使用angularJS实现spring安全默认CSRF保护
我有一个用spring security保护的spring启动应用程序。 现在我想保护它不受CSRF漏洞的影响,所以我在spring安全配置中添加了这一行:如何使用angularJS实现spring安全默认CSRF保护,angularjs,spring-security,csrf,csrf-protection,x-xsrf-token,Angularjs,Spring Security,Csrf,Csrf Protection,X Xsrf Token,我有一个用spring security保护的spring启动应用程序。 现在我想保护它不受CSRF漏洞的影响,所以我在spring安全配置中添加了这一行: http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) @Override protected void configure(HttpSecurity http) throws Exception { System.out.pr
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Setting up Security configuration");
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()/*.disable()*/
.addFilterBefore(new AlreadyConnectedFilter(),UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(authProvider)
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.formLogin()
.permitAll()
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout()
.permitAll()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "DELETE"))
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.sessionManagement()
.maximumSessions(-1)
.expiredSessionStrategy(new CustomSessionInformationExpiredStrategy())
.sessionRegistry(sessionRegistry());
http.httpBasic().and().authorizeRequests()
.anyRequest().permitAll();
http.exceptionHandling()
.accessDeniedHandler((request, response, accessDeniedException) -> {
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
Map<String, Object> contentToSend = new HashMap<>();
contentToSend.put("message", accessDeniedException.getMessage());
contentToSend.put("errors",new ArrayList<>());
contentToSend.put("status",response.getStatus());
PrintWriter writer = response.getWriter();
writer.write(new ObjectMapper().writeValueAsString(contentToSend));
writer.flush();
})
.authenticationEntryPoint((request, response, authException) -> {
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
Map<String, Object> contentToSend = new HashMap<>();
contentToSend.put("message", authException.getMessage());
contentToSend.put("errors", new ArrayList<>());
contentToSend.put("status", response.getStatus());
PrintWriter writer = response.getWriter();
writer.write(new ObjectMapper().writeValueAsString(contentToSend));
writer.flush();
});
}
对于客户端,我使用的是angularJS 1.6。
我在app.js文件中添加了以下两行:
$httpProvider.defaults.xsrfCookieName = 'XSRF-TOKEN';
$httpProvider.defaults.xsrfHeaderName = 'X-XSRF-TOKEN';
现在,当我尝试执行某些请求时,我将获得未经授权的状态我想我错过了什么,有人能帮我吗 ----更多详情: 以下是我的spring安全配置:
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("Setting up Security configuration");
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()/*.disable()*/
.addFilterBefore(new AlreadyConnectedFilter(),UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(authProvider)
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.formLogin()
.permitAll()
.loginProcessingUrl("/login")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout()
.permitAll()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "DELETE"))
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.sessionManagement()
.maximumSessions(-1)
.expiredSessionStrategy(new CustomSessionInformationExpiredStrategy())
.sessionRegistry(sessionRegistry());
http.httpBasic().and().authorizeRequests()
.anyRequest().permitAll();
http.exceptionHandling()
.accessDeniedHandler((request, response, accessDeniedException) -> {
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
Map<String, Object> contentToSend = new HashMap<>();
contentToSend.put("message", accessDeniedException.getMessage());
contentToSend.put("errors",new ArrayList<>());
contentToSend.put("status",response.getStatus());
PrintWriter writer = response.getWriter();
writer.write(new ObjectMapper().writeValueAsString(contentToSend));
writer.flush();
})
.authenticationEntryPoint((request, response, authException) -> {
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
Map<String, Object> contentToSend = new HashMap<>();
contentToSend.put("message", authException.getMessage());
contentToSend.put("errors", new ArrayList<>());
contentToSend.put("status", response.getStatus());
PrintWriter writer = response.getWriter();
writer.write(new ObjectMapper().writeValueAsString(contentToSend));
writer.flush();
});
}
@覆盖
受保护的无效配置(HttpSecurity http)引发异常{
System.out.println(“设置安全配置”);
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())和()*/
.addFilterBefore(新的AlreadyConnectedFilter(),UsernamePasswordAuthenticationFilter.class)
.authenticationProvider(authProvider)
.例外处理()
.authenticationEntryPoint(authenticationEntryPoint)
.及()
.formLogin()
.permitAll()
.loginProcessingUrl(“/login”)
.usernameParameter(“用户名”)
.passwordParameter(“密码”)
.successHandler(authSuccessHandler)
.failureHandler(authFailureHandler)
.及()
.logout()
.permitAll()
.logoutRequestMatcher(新的AntPathRequestMatcher(“/logout”,“DELETE”))
.logoutSuccessHandler(logoutSuccessHandler)
.及()
.会议管理()
.maximumSessions(-1)
.expiredSessionStrategy(新的CustomSessionInformation ExpiredStrategy())
.sessionRegistry(sessionRegistry());
http.httpBasic()和()
.anyRequest().permitAll();
http.exceptionHandling()
.accessDeniedHandler((请求、响应、accessDeniedException)->{
setContentType(“应用程序/json”);
response.setStatus(HttpServletResponse.SC_禁止);
Map contentToSend=new HashMap();
contentToSend.put(“message”,accessDeniedException.getMessage());
contentToSend.put(“errors”,new ArrayList());
contentToSend.put(“status”,response.getStatus());
PrintWriter=response.getWriter();
write(newObjectMapper().writeValueAsString(contentToSend));
writer.flush();
})
.authenticationEntryPoint((请求、响应、authException)->{
setContentType(“应用程序/json”);
response.setStatus(HttpServletResponse.SC_未经授权);
Map contentToSend=new HashMap();
contentToSend.put(“message”,authException.getMessage());
contentToSend.put(“errors”,new ArrayList());
contentToSend.put(“status”,response.getStatus());
PrintWriter=response.getWriter();
write(newObjectMapper().writeValueAsString(contentToSend));
writer.flush();
});
}
以下是我尝试发出post请求时得到的结果:在请求参数“\u CSRF”或标头“X-XSRF-Token”上发现无效的CSRF令牌“null”。请检查我是否要使用默认的spring安全保护,在本例中,他们使用自定义筛选器。。。。我相信我在客户方面遗漏了一些东西,只要有人能帮我?