Spring Security CSRF Token不使用AJAX调用&表单在同一个JSP中提交 [英] Spring Security CSRF Token not working with AJAX call & form submit in same JSP
问题描述
我试图在我的项目中通过引用以下链接来实现spring security(版本3.2.3)CSRF令牌
I am trying to implement spring security (ver 3.2.3) CSRF token in my project by referring below links
http://docs.spring.io/autorepo/docs/spring- security / 4.0.0.CI-SNAPSHOT / reference / htmlsingle / #csff
http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/ htmlsingle / #the-csrfmetatags-tag
我能够在没有AJAX调用的情况下成功地在JSP中集成CSRF令牌。
但是当我尝试使用AJAX调用JSP时,获得无效的CSRF令牌异常。
经过我的分析,我找到了AJAX电话&表格提交使用相同的令牌,因为我得到'无效的CSRF令牌例外'。
I am able to integrate CSRF token in JSP successfully without AJAX call. But when I tried JSP with AJAX call, getting 'invalid CSRF token exception'. After my analysis I found for both AJAX call & form submission using same token due to this i am getting 'invalid CSRF token exception'.
可以请任何人帮我突袭这个问题。有没有办法生成两个令牌,即一个用于AJAX呼叫&一个用于表单提交
Could please any one help me to get raid of this issue. Is there any way to to generate two tokens i.e. one for AJAX call & one for form submission
security.xml
security.xml
<access-denied-handler ref="accessDenied" />
<intercept-url pattern="/**" access="ROLE_1" />
<form-login default-target-url='/loginUser.htm' always-use-default-target='true' authentication-failure-url='/forms/common/login.jsp?error=true' />
<logout logout-success-url="/forms/common/logout.jsp" invalidate-session="true" delete-cookies="JSESSIONID" />
<session-management invalid-session-url="/forms/common/sessionexpired.jsp" session-authentication-error-url="/forms/common/login.jsp?Error=alreadyLoggedin" >
<concurrency-control expired-url="/forms/common/sessionexpired.jsp" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
</http>
<beans:bean class="com.concerto.pg.login.security.CsrfSecurityRequestMatcher" id="csrfSecurityRequestMatcher"/>
JSP
<head>
<sec:csrfMetaTags />
<script type="text/javascript" charset="utf-8">
function changeList(id,option){
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
var institution = document.getElementById("institutionId").value;
var data = {};
data[csrfParameter] = csrfToken;
data["institutionId"] = option;
if(id=="institutionId"){
var result ='';
$.ajax({
type: "GET",
async: false,
url: './getMerchantByInstitution.htm',
data: data,//"institutionId=" + option,
dataType:'json',
success: function (res) {
result = res;
var htmlVar = '';
for (var i=0; i<result.length; i++){
htmlVar += '<option
value="'+result[i]+'">'+result[i]+'</option>';
}
htmlVar += '<option value="ALL">ALL</option>';
$('#merchantId').html(htmlVar);
}
});
}
}
</script>
</head>
added below < input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> statement in form tag
谢谢&此致,
Siva
Thanks & Regards, Siva
推荐答案
我希望以下答案有所帮助。
进行这些更改
I hope this below answer helps. Make these changes
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content"); // THIS WAS ADDED
以及
data[csrfParameter] = csrfToken;
data["institutionId"] = option;
headers[csrfHeader] = csrfToken; // THIS WAS ADDED
最后更改了ajax调用:
finally change in the ajax call:
url: './getMerchantByInstitution.htm',
headers: headers, // THIS WAS ADDED
data: data,//"institutionId=" + option,
dataType:'json',
让我知道这是否有效。
这篇关于Spring Security CSRF Token不使用AJAX调用&表单在同一个JSP中提交的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!