在请求参数“_csrf"或标头“X-CSRF-TOKEN"中发现无效的 CSRF 令牌“null" [英] Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

问题描述

配置 Spring Security 3.2 后，_csrf.token 不会绑定到请求或会话对象.

After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object.

这是 spring 安全配置:

This is the spring security config:

<http pattern="/login.jsp" security="none"/>

<http>
    <intercept-url pattern="/**" access="ROLE_USER"/>
    <form-login login-page="/login.jsp"
                authentication-failure-url="/login.jsp?error=1"
                default-target-url="/index.jsp"/>
    <logout/>
    <csrf />
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="test" password="test" authorities="ROLE_USER/>
        </user-service>
    </authentication-provider>
</authentication-manager>

login.jsp 文件

The login.jsp file

<form name="f" action="${contextPath}/j_spring_security_check" method="post" >
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
    <button id="ingresarButton"
            name="submit"
            type="submit"
            class="right"
            style="margin-right: 10px;">Ingresar</button>
    <span>
        <label for="usuario">Usuario :</label>
        <input type="text" name="j_username" id="u" class="" value=''/>
    </span>
    <span>
        <label for="clave">Contrase&ntilde;a :</label>

        <input type="password"
               name="j_password"
               id="p"
               class=""
               onfocus="vc_psfocus = 1;"
               value="">
    </span>
</form>

它呈现下一个html:

And it renders the next html:

<input type="hidden" name="" value="" />

结果是 403 HTTP 状态:

The result is 403 HTTP status:

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.

更新经过一些调试后，请求对象以 DelegatingFilterProxy 的形式出现，但在 CoyoteAdapter 的第 469 行，它执行 request.recycle();删除所有属性...

UPDATE After some debug, the request object gets out fine form DelegatingFilterProxy, but in the line 469 of CoyoteAdapter it executes request.recycle(); that erases all the attributes...

我使用 JDK 1.7 在 Tomcat 6.0.36、7.0.50 中进行测试.

I test in Tomcat 6.0.36, 7.0.50 with JDK 1.7.

我不理解这种行为，而不是，如果有人向我指出一些与 CSRF 一起使用的 Spring Security 3.2 的应用程序示例战争的方向.

I have not understood this behavior, rather than, it would be possible if someone point me in the direction of some application sample war with Spring Security 3.2 that works with CSRF.

推荐答案

看起来您的 Spring 应用程序中的 CSRF(跨站点请求伪造)保护已启用.实际上它是默认启用的.

It looks like the CSRF (Cross Site Request Forgery) protection in your Spring application is enabled. Actually it is enabled by default.

根据spring.io:

什么时候应该使用 CSRF 保护?我们的建议是使用 CSRF保护可以由浏览器处理的任何请求普通用户.如果您只是创建一个由以下人员使用的服务非浏览器客户端，您可能需要禁用 CSRF 保护.

When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

所以禁用它:

@Configuration
public class RestSecurityConfig extends WebSecurityConfigurerAdapter {
  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
  }
}

如果您想保持启用 CSRF 保护，那么您必须在表单中包含 csrftoken.你可以这样做:

If you want though to keep CSRF protection enabled then you have to include in your form the csrftoken. You can do it like this:

<form .... >
  ....other fields here....
  <input type="hidden"  name="${_csrf.parameterName}"   value="${_csrf.token}"/>
</form>

您甚至可以在表单的操作中包含 CSRF 令牌:

You can even include the CSRF token in the form's action:

<form action="./upload?${_csrf.parameterName}=${_csrf.token}" method="post" enctype="multipart/form-data">

这篇关于在请求参数“_csrf"或标头“X-CSRF-TOKEN"中发现无效的 CSRF 令牌“null"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！