如何在Spring中预处理对所有控制器的请求?验证CSRF令牌
我正在开发一个SpringMVC后端(和GWT前端),它提供了一个REST接口。出于安全原因,它应该在每个请求上验证令牌。现在的问题是:我如何检查令牌而不在每个控制器中写入它应该检查的内容?我想到一个类,它有一个方法,在请求到达负责的控制器并检查令牌之前运行,如果令牌有效,它将把数据传递给控制器 通过导线发送的JSON数据如下所示:如何在Spring中预处理对所有控制器的请求?验证CSRF令牌,spring,rest,spring-mvc,csrf,Spring,Rest,Spring Mvc,Csrf,我正在开发一个SpringMVC后端(和GWT前端),它提供了一个REST接口。出于安全原因,它应该在每个请求上验证令牌。现在的问题是:我如何检查令牌而不在每个控制器中写入它应该检查的内容?我想到一个类,它有一个方法,在请求到达负责的控制器并检查令牌之前运行,如果令牌有效,它将把数据传递给控制器 通过导线发送的JSON数据如下所示: { "data": { "id":1, "firstName":"firstExample", "l
{
"data":
{
"id":1,
"firstName":"firstExample",
"lastName":"lastExample"
},
"csrf":"myCSRFToken"
}
Spring设置的其余部分如下所示:
{
"data":
{
"id":1,
"firstName":"firstExample",
"lastName":"lastExample"
},
"csrf":"myCSRFToken"
}
web.xml:
<context-param>
<param-name>contextClass</param-name>
<param-value>org.springframework.web.context.support.AnnotationConfigWebApplicationContext</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>myapp.server.AppConfig</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
人事控制员:
@Controller
@RequestMapping("/persons")
public class PersonController {
@ResponseBody
@RequestMapping(method = RequestMethod.GET)
public Collection<Person> list() {
//
}
}
我对Spring完全陌生,我想知道我必须在哪里修改我的配置才能让它按预期工作
谢谢大家!
它现在在dispatcher-servlet.xml中使用以下代码:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
<context:component-scan base-package="myapp.server.controller" />
<mvc:annotation-driven />
</beans>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
<context:component-scan base-package="myapp.server.controller" />
<mvc:annotation-driven />
<mvc:interceptors>
<bean class="myapp.server.XSRFInterceptor" />
</mvc:interceptors>
</beans>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
</beans>
还有一个问题:如何修改传递给控制器的JSON
问题1的解决方案(xml与java):
dispatcher-servlet.xml:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
<context:component-scan base-package="myapp.server.controller" />
<mvc:annotation-driven />
</beans>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
<context:component-scan base-package="myapp.server.controller" />
<mvc:annotation-driven />
<mvc:interceptors>
<bean class="myapp.server.XSRFInterceptor" />
</mvc:interceptors>
</beans>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
</beans>
还有待解决:如何处理拦截器内的JSON数据?拦截器就是您要寻找的。对不起,我无法从我的手机上发送密码。谢谢。我更进一步了。也许你或其他人可以发布一些代码。我已经创建了一个HandlerInterceptorAdapter(这是适合我的用例的吗?)。AppConfig现在扩展了WebMVCConfigureAdapter,并使用我的拦截器调用addInterceptors。但拦截程序从未被调用。此外,我不知道如何修改其中的JSON数据,因为拦截器只是在其预处理方法中返回一个布尔值。