Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/design-patterns/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
spring 4和CSRF_Spring_Spring Security_Spring Boot_Spring Restcontroller - Fatal编程技术网
Fatal编程技术网

spring 4和CSRF

spring spring-security spring-boot

spring 4和CSRF,spring,spring-security,spring-boot,spring-restcontroller,Spring,Spring Security,Spring Boot,Spring Restcontroller,我在一个单页应用程序中使用SpringBoot、SpringRest和SpringSecurity 对于Spring4,默认情况下启用CSRF 我写了一个扩展WebSecurity配置适配器的类 protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/rest/**").authenticated(); http.e

我在一个单页应用程序中使用SpringBoot、SpringRest和SpringSecurity

对于Spring4,默认情况下启用CSRF

我写了一个扩展WebSecurity配置适配器的类

    protected void configure(HttpSecurity http) throws Exception {
      http.authorizeRequests().antMatchers("/rest/**").authenticated();

      http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
      http.formLogin().successHandler(authenticationSuccessHandler);
      http.formLogin().failureHandler(authenticationFailureHandler);
      http.logout().logoutSuccessUrl("/");

    // tried with and without... same issue
      http.addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class);

}
CsrfTokenResponseHeaderBindingFilter来自

我只使用html(所以没有jsp,没有XHTML…)页面。 我使用ajax调用并提供html

请求头

POST /login HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 30
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
Origin: http://localhost:8080
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: JSESSIONID=B05ED2676EC1637D74AC7622E018C9FD
以我的形式,我有

 <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
当日志失败时,此命令返回null

jqXHR.getResponseHeader('X-CSRF-TOKEN')
ajax调用

var data = 'username=' + $('#username').val() + '&password=' +  $('#password').val();
  $.ajax({
    data: data,
    timeout: 1000,
    type: 'POST',
    url: '/login'
  }).done(function (data, textStatus, jqXHR) {
     window.location = "main.html";
  }).fail(function (jqXHR, textStatus, errorThrown) {
  });
});
编辑

在浏览器中,当我连接到localhost:8080时

我在标题中看到了答案

X-CSRF-HEADER:X-CSRF-TOKEN
X-CSRF-PARAM:_csrf
X-CSRF-TOKEN:0d5bf042-a30f-4f2e-a99c-51ed512f811a
如何在JS中获取这些信息?我需要把它放在我的post通话中。

没有足够的信息来调试这个问题。您应该发布以下信息:

  • 您的XML/JavaSpring安全配置
  • 您的SpringWeb配置。您使用的是JSP还是XHTML?您确定视图模型正确吗?可能您的web模块没有发送令牌时出现问题
  • 实际的http请求头/正文。请求是否确实正确,或者spring只是没有接收令牌
    • 告诉我们HTTP请求PLSY您没有在POST中发送csrf参数我想放在那里什么? 
    X-CSRF-HEADER:X-CSRF-TOKEN
X-CSRF-PARAM:_csrf
X-CSRF-TOKEN:0d5bf042-a30f-4f2e-a99c-51ed512f811a