在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null' [英] Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
问题描述
配置Spring Security 3.2之后,_csrf.token未绑定到请求或会话对象.
After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object.
这是spring安全配置:
This is the spring security config:
<http pattern="/login.jsp" security="none"/>
<http>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=1"
default-target-url="/index.jsp"/>
<logout/>
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="test" authorities="ROLE_USER/>
</user-service>
</authentication-provider>
</authentication-manager>
login.jsp文件
The login.jsp file
<form name="f" action="${contextPath}/j_spring_security_check" method="post" >
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<button id="ingresarButton"
name="submit"
type="submit"
class="right"
style="margin-right: 10px;">Ingresar</button>
<span>
<label for="usuario">Usuario :</label>
<input type="text" name="j_username" id="u" class="" value=''/>
</span>
<span>
<label for="clave">Contraseña :</label>
<input type="password"
name="j_password"
id="p"
class=""
onfocus="vc_psfocus = 1;"
value="">
</span>
</form>
并呈现下一个html:
And it renders the next html:
<input type="hidden" name="" value="" />
结果是403 HTTP状态:
The result is 403 HTTP status:
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
更新 经过一些调试后,请求对象会脱离DelegatingFilterProxy的形式,但是在CoyoteAdapter的第469行中,它执行request.recycle();.删除所有属性...
UPDATE After some debug, the request object gets out fine form DelegatingFilterProxy, but in the line 469 of CoyoteAdapter it executes request.recycle(); that erases all the attributes...
我使用JDK 1.7在Tomcat 6.0.36、7.0.50中进行了测试.
I test in Tomcat 6.0.36, 7.0.50 with JDK 1.7.
我还不了解这种行为,相反,如果有人指出我朝着与CSRF一起使用的Spring Security 3.2进行应用程序示例战争的方向发展,那是可能的.
I have not understood this behavior, rather than, it would be possible if someone point me in the direction of some application sample war with Spring Security 3.2 that works with CSRF.
推荐答案
看起来您的Spring应用程序中的CSRF(跨站点请求伪造)保护已启用.实际上,默认情况下它是启用的.
It looks like the CSRF (Cross Site Request Forgery) protection in your Spring application is enabled. Actually it is enabled by default.
根据 spring.io :
何时应使用CSRF保护?我们的建议是使用CSRF 保护浏览器可以处理的任何请求 普通用户.如果您仅创建供以下人员使用的服务 非浏览器客户端,您可能需要禁用CSRF保护.
When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
因此要禁用它:
@Configuration
public class RestSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
如果要保持启用CSRF保护,则必须在表单中包含csrftoken.您可以这样做:
If you want though to keep CSRF protection enabled then you have to include in your form the csrftoken. You can do it like this:
<form .... >
....other fields here....
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
您甚至可以在表单的操作中包含CSRF令牌:
You can even include the CSRF token in the form's action:
<form action="./upload?${_csrf.parameterName}=${_csrf.token}" method="post" enctype="multipart/form-data">
这篇关于在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
