Spring Security 3.2 CSRF 支持多部分请求 [英] Spring Security 3.2 CSRF support for multipart requests
问题描述
几年来,我们一直在我们的应用程序中使用 Spring Security.上周我们将 Spring Security 从版本 3.1.4 升级到 3.2.0.升级很顺利,升级后我们没有发现任何错误.
We have been using Spring Security with our application for a few years now. Last week we upgraded Spring Security from version 3.1.4 to 3.2.0. The upgrade went fine and we did not find any errors post the upgrade.
在查看 Spring Security 3.2.0 文档时,我们发现了围绕 CSRF 保护和安全标头的新增功能.我们按照 Spring Security 3.2.0 文档中的说明为我们的受保护资源启用 CSRF 保护.它适用于常规表单,但不适用于我们应用程序中的多部分表单.在提交表单时,CsrfFilter 会引发拒绝访问错误,理由是请求中缺少 CSRF 令牌(通过 DEBUG 日志确定).我们尝试使用 Spring Security 文档中建议的第一个选项 用于使 CSRF 保护与多部分表单一起工作.我们不想使用第二个建议选项,因为它会通过 URL 泄漏 CSRF 令牌并带来安全风险.
While looking through the Spring Security 3.2.0 documentation we came across the newly added features around CSRF protection and security headers. We followed the instructions in the Spring Security 3.2.0 documentation to enable CSRF protection for our protected resources. It works fine for regular forms but does not work for multipart forms in our application. On form submission, CsrfFilter throws an Access Denied error citing the absence of a CSRF token in the request (determined through DEBUG logs). We have tried using the first option suggested in the Spring Security documentation for making CSRF protection work with multipart forms. We do not want to use the second suggested option as it leaks CSRF tokens through the URLs and poses a security risk.
我们基于文档的配置的相关部分在 Github 上作为 Gist 提供.我们使用的是 Spring 4.0.0 版.
The relevant part of our configuration based on the documentation is available as a Gist on Github. We are using Spring version 4.0.0.
请注意,我们已经尝试了以下变体但没有成功:
Note that we have already tried the following variations without success:
- 未在
web.xml中声明MultipartFilter. - 没有为
web.xml中的MultipartFilter设置解析器 bean 名称. - 使用
webContext.xml中的默认解析器 bean 名称filterMultipartResolver.
- Not declaring the
MultipartFilterinweb.xml. - Not setting the resolver bean name for the
MultipartFilterinweb.xml. - Using the default resolver bean name
filterMultipartResolverinwebContext.xml.
更新:我已经确认,即使使用单页示例应用程序,记录的行为也不起作用.任何人都可以确认记录的行为按预期工作吗?是否有可以使用的示例工作应用程序?
UPDATE: I have confirmed that the documented behaviour does not work even with a single page sample app. Can anyone confirm that the documented behaviour works as expected? Is there an example working application that can be used?
推荐答案
我在 Spring Security 团队的帮助下解决了这个问题.我已经更新了 Gist 以反映工作配置.为了让一切按预期工作,我必须按照下面给出的步骤进行操作.
I was able to resolve this with help from the Spring Security team. I have updated the Gist to reflect a working configuration. I had to follow the steps given below in order to get everything to work as expected.
1.常见步骤
将 MultipartFilter 添加到 web.xml,如答案中所述@holmis83,确保在 Spring Security 配置之前添加:
Add a MultipartFilter to web.xml as described in the answer by @holmis83, ensuring that it is added before the Spring Security configuration:
<filter>
<display-name>springMultipartFilter</display-name>
<filter-name>springMultipartFilter</filter-name>
<filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springMultipartFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<display-name>springSecurityFilterChain</display-name>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>ERROR</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
2.1.使用 Apache Commons Multipart Resolver
确保在根 Spring 应用程序上下文中存在一个名为 filterMultipartResolver 的 Apache Commons Multipart Resolver bean.我将再次强调这一点,确保在根 Spring Context(通常称为 applicationContext.xml)中声明 Multipart Resolver.例如,
Ensure that there is an Apache Commons Multipart Resolver bean named filterMultipartResolver in the root Spring application context. I will stress this again, make sure that the Multipart Resolver is declared in the root Spring Context (usually called applicationContext.xml). For example,
web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:springWebMultipartContext.xml
</param-value>
</context-param>
springWebMultipartContext.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="filterMultipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="100000000" />
</bean>
</beans>
确保该 bean 名为 filterMultipartResolver,因为 web.xml 中配置的 MultipartFilter 不会选择任何其他 bean 名称.我的初始配置不起作用,因为这个 bean 被命名为 multipartResolver.我什至尝试使用 web.xml init-param 将 bean 名称传递给 MultipartFilter 但这也不起作用.
Make sure that the bean is called filterMultipartResolver as any other bean name is not picked up by MultipartFilter configured in web.xml. My initial configuration was not working because this bean was named multipartResolver. I even tried passing the bean name to MultipartFilter using web.xml init-param but that did not work either.
2.2.使用 Tomcat Multipart 支持
Tomcat 7.0+ 具有内置的多部分支持,但必须明确启用.更改全局 Tomcat context.xml 文件如下,或在您的 WAR 文件中包含一个本地 context.xml 文件,以便此支持工作,而无需对您的应用程序进行任何其他更改.
Tomcat 7.0+ has in-built multipart support, but it has to be explicitly enabled. Either change the global Tomcat context.xml file as follows or include a local context.xml file in your WAR file for this support to work without making any other changes to your application.
<Context allowCasualMultipartParsing="true">
...
</Context>
在使用 Apache Commons Multipart Resolver 进行这些更改后,我们的应用程序目前可以在 Tomcat、Jetty 和 Weblogic 上运行.
After these changes using Apache Commons Multipart Resolver our application is working so far on Tomcat, Jetty and Weblogic.
这篇关于Spring Security 3.2 CSRF 支持多部分请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
