Spring mvc 介绍性Spring Boot MVC应用程序-登录失败,因为找不到您的会话,无法验证提供的CSRF令牌
我试图通过SpringBoot、SpringMVC和SpringSecurity编写一个简单的介绍性应用程序,但在提交登录表单后,由于403响应,我被重定向到一个白标签错误页面。错误消息为Spring mvc 介绍性Spring Boot MVC应用程序-登录失败,因为找不到您的会话,无法验证提供的CSRF令牌,spring-mvc,spring-boot,groovy,spring-security,Spring Mvc,Spring Boot,Groovy,Spring Security,我试图通过SpringBoot、SpringMVC和SpringSecurity编写一个简单的介绍性应用程序,但在提交登录表单后,由于403响应,我被重定向到一个白标签错误页面。错误消息为无法验证提供的CSRF令牌,因为找不到您的会话 谁能告诉我我做错了什么?我是否应该以某种方式禁用登录端点的CSRF过滤?即使它似乎在说提供了一个CSRF令牌,但我在请求的头或表单数据中没有看到它。。。这可能是问题所在吗?我甚至没有提供CSRF令牌 /格雷德尔先生 buildscript { reposi
无法验证提供的CSRF令牌,因为找不到您的会话buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.springframework.boot:spring-boot-gradle-plugin:1.5.7.RELEASE'
}
}
apply plugin: 'groovy'
apply plugin: 'java'
apply plugin: 'war'
apply plugin: 'idea'
apply plugin: 'org.springframework.boot'
sourceCompatibility = 1.8
repositories {
mavenCentral()
}
dependencies {
compile ('org.springframework.boot:spring-boot-starter-web') {
exclude module: 'spring-boot-starter-tomcat'
}
compile 'org.springframework.boot:spring-boot-starter-jetty'
compile 'org.springframework.boot:spring-boot-starter-actuator'
compile 'org.springframework.boot:spring-boot-starter-security'
compile 'org.codehaus.groovy:groovy-all:2.3.11'
compile 'javax.servlet:jstl:1.2'
testCompile group: 'junit', name: 'junit', version: '4.12'
testCompile 'org.springframework.boot:spring-boot-starter-test'
testCompile 'org.springframework.security:spring-security-test'
}
@SpringBootApplication
@EnableWebMvc
@EnableAutoConfiguration
@ComponentScan
class Application extends AbstractAnnotationConfigDispatcherServletInitializer {
protected Class<?>[] getRootConfigClasses() {
return [WebMvcConfig.class, WebSecurityConfig.class]
}
protected Class<?>[] getServletConfigClasses() {
return [WebMvcConfig.class, WebSecurityConfig.class]
}
protected String[] getServletMappings() {
return [ "/" ]
}
public static void main(String[] args) {
SpringApplication.run(Application.class, args)
}
}
@Configuration
@ComponentScan('my.little.app')
@EnableWebMvc
class WebMvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
super.addViewControllers(registry)
registry.addViewController('/index').setViewName('index')
registry.addViewController('/login').setViewName('login')
registry.addViewController('/secure_page').setViewName('secure_page')
}
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
@Bean
public ViewResolver internalResourceViewResolver() {
InternalResourceViewResolver bean = new InternalResourceViewResolver()
// bean.setViewClass(JstlView.class)
bean.setPrefix('/WEB-INF/views/')
bean.setSuffix('.jsp')
return bean
}
}
@Configuration
@EnableWebMvc
@EnableWebSecurity
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity security) {
security
.authorizeRequests()
.antMatchers('/', '/index').permitAll()
.antMatchers('/login').anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage('/login').permitAll()
.defaultSuccessUrl('/secure_page')
.failureUrl('/login?error=true')
.and()
.logout()
.permitAll()
.logoutSuccessUrl('/login')
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) {
authBuilder
.inMemoryAuthentication()
.withUser('doug').password('las').roles('WIZARD')
}
}
@Configuration
@ComponentScan('my.little.app')
@EnableWebMvc
class WebMvcConfig extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
super.addViewControllers(registry)
registry.addViewController('/index').setViewName('index')
registry.addViewController('/login').setViewName('login')
registry.addViewController('/secure_page').setViewName('secure_page')
}
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
configurer.enable();
}
@Bean
public ViewResolver internalResourceViewResolver() {
InternalResourceViewResolver bean = new InternalResourceViewResolver()
// bean.setViewClass(JstlView.class)
bean.setPrefix('/WEB-INF/views/')
bean.setSuffix('.jsp')
return bean
}
}
@Configuration
@EnableWebMvc
@EnableWebSecurity
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity security) {
security
.authorizeRequests()
.antMatchers('/', '/index').permitAll()
.antMatchers('/login').anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage('/login').permitAll()
.defaultSuccessUrl('/secure_page')
.failureUrl('/login?error=true')
.and()
.logout()
.permitAll()
.logoutSuccessUrl('/login')
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder authBuilder) {
authBuilder
.inMemoryAuthentication()
.withUser('doug').password('las').roles('WIZARD')
}
}
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Web Security Tutorial</title>
</head>
<body>
<div>Welcome to the Web Security Tutorial</div>
<form method="get" action="/login">
<input type="submit" value="Sign In" />
</form>
</body>
</html>
网络安全教程
欢迎来到Web安全教程
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Web Security Tutorial</title>
</head>
<body>
<form method="post" action="login">
<div><label> User name: <input name="username" type="text"/></label></div>
<div><label> Password: <input name="password" type="password"/></label></div>
<div><input type="submit" value="Sign In"/></div>
</form>
</body>
</html>
网络安全教程
用户名:
密码:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Web Security Tutorial</title>
</head>
<body>
<div>Don't worry, no one can see this but you. Here are your deepest darkest secrets...</div>
<form action="/logout">
<input type="submit" value="Log Out"/>
</form>
</body>
</html>
网络安全教程
别担心,除了你没人能看到。这是你最深最黑暗的秘密。。。