Spring Security 3.2.0 CSRF令牌在Freemarker模板中不起作用 [英] spring security 3.2.0 csrf token not working in freemarker template
问题描述
升级到Spring Security 3.2.0并配置xml后,_csrf令牌不起作用。
基本知识:
- Spring 4.0.1
- Spring Security 3.2.0。
- Freemarker模板语言
第1步-Spring Security xml配置:
<!-通过csrf-element启用csrf保护->
< sec:http>
<!-->
< sec:csrf token-repository-ref = csrfTokenRepository />
< / sec:http>
< ;!-重写headerName->
< bean id = csrfTokenRepository class = org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository>
<属性名称= headerName值= X-SECURITY />
< / bean>
步骤2-免费标记模板:
< form accept-charset = UTF-8 action = / portal method = POST name = formAddItemToCart>
<!-...->
< ;!-inlcude csrf令牌->
<输入类型=隐藏
name = $ {_ csrf.parameterName}
value = $ {_ csrf.token} />
< / form>
步骤3-呈现的输出:
< form accept-charset = UTF-8 action = / portal method = POST name = formAddItemToCart>
<!-...->
<输入类型= hidden name = value = />
< / form>
步骤4-freemarker模板错误:
< pre $ = lang-html prettyprint-override>
FreeMarker模板错误:
以下内容评估为null或丢失:
==> _csrf [在第28行第21列的模板 cart.ftl中]
参考:
http:// docs。 spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#csrf
目前我正在调试整个系统应用。
我不知道问题出在哪里-但csrf似乎无法与freemarker一起使用。通常可以在freemarker模板中包含csrf令牌吗?您有任何建议或解决方案吗?
更新:
xml配置不正确。
我找到了这种解决方案,对我有很大帮助。
https://github.com/spring-projects/ spring-mvc-showcase / commit / 361adc124c05a8187b84f25e8a57550bb7d9f8e4
现在我的文件如下:
security.xml
< sec:http>
<!-...->
< sec:csrf />
< / sec:http>
< bean id = requestDataValueProcessor class = org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor />
< bean id = csrfFilter class = org.springframework.security.web.csrf.CsrfFilter>
< constructor-arg>
< bean class = org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository>
<属性名称= headerName值= X-SECURITY />
< / bean>
< / constructor-arg>
< / bean>
web.xml
< filter>
< filter-name> csrfFilter< / filter-name>
< filter-class> org.springframework.web.filter.DelegatingFilterProxy< / filter-class>
< async-supported> true< / async-supported>
< / filter>
< filter-mapping>
< filter-name> csrfFilter< / filter-name>
< url-pattern> / *< / url-pattern>
< / filter-mapping>
After uprading to Spring Security 3.2.0 and configuring the xml, the _csrf token is not working.
Fundamentals:
- Spring 4.0.1
- Spring Security 3.2.0.
- Freemarker Template Language
Step 1 - the spring security xml configuration:
<!-- enable csrf protection via csrf-element -->
<sec:http>
<!-- -->
<sec:csrf token-repository-ref="csrfTokenRepository" />
</sec:http>
<!-- rewrite headerName -->
<bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<property name="headerName" value="X-SECURITY" />
</bean>
Step 2 - the freemarker template:
<form accept-charset="UTF-8" action="/portal" method="POST" name="formAddItemToCart">
<!-- ... -->
<!-- inlcude csrf token -->
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
</form>
Step 3 - the rendered output:
<form accept-charset="UTF-8" action="/portal" method="POST" name="formAddItemToCart">
<!-- ... -->
<input type="hidden" name="" value=""/>
</form>
Step 4 - the freemarker template error:
FreeMarker template error:
The following has evaluated to null or missing:
==> _csrf [in template "cart.ftl" at line 28, column 21]
Reference: http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#csrf
Currently i'm debugging the whole application.
I don't know where exactly the problem is - but it seems that csrf isn't working with freemarker. Is this generally possible to include the csrf token in the freemarker template? Do you have any suggestions or solutions?
UPDATE:
xml configuration was not made properly. I've found this solution which helps me lot. https://github.com/spring-projects/spring-mvc-showcase/commit/361adc124c05a8187b84f25e8a57550bb7d9f8e4
Now my files look like these:
security.xml
<sec:http>
<!-- ... -->
<sec:csrf />
</sec:http>
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"/>
<bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
<constructor-arg>
<bean class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<property name="headerName" value="X-SECURITY" />
</bean>
</constructor-arg>
</bean>
web.xml
<filter>
<filter-name>csrfFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>csrfFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这篇关于Spring Security 3.2.0 CSRF令牌在Freemarker模板中不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!