Spring Security 3.2、CSRF 和多部分请求 [英] Spring Security 3.2, CSRF and multipart requests
问题描述
这个问题与这个网址的问题有关Spring Security 3.2 CSRF 支持多部分请求
This question is in relation to the question at this url Spring Security 3.2 CSRF support for multipart requests
我尝试了完全相同的设置以及要点,但除非我在 url 中有 _csrf 令牌,否则我无法让它工作.我将它作为隐藏字段放在表单正文中,并在安全过滤器之前指定了过滤器,但没有任何乐趣,并且每次都失败并显示无效 csrf 令牌的调试日志消息
I tried this exact same setup as well as the gist but I cannot get this to work unless I have the _csrf token in the url. I had it in the form body as a hidden field and had the filter specified before the security filter but with no joy and it failed every time with the debug log message of an invalid csrf token
对此的任何帮助将不胜感激
Any help on this would be greatly appreciated
干杯达米安
推荐答案
如果没有要点的话很难找到,但我终于明白了!
It would have been very hard to find without the gist but I finally got it !
其实跟Spring安全没有关系.真正的问题仅在 SpringFramework 多部分配置中.但正因为如此,请求似乎根本没有参数(既没有_csrf,也没有file),第一个检测到它的是CsrfFilter.我删除了有关安全性的所有内容,错误是 Requested parameter file missing(或类似的东西......)
In fact it has nothing to do with Spring security. The real problem was only in SpringFramework multipart configuration. But because of it, the request appeared to have no parameter at all (neither _csrf, nor file) and the first to detect it was CsrfFilter. I removed everything about security, and the error was Requested parameter file absent (or something like it ...)
如Spring 框架手册所述,multipart 可以通过两种方式处理:
As detailed in Spring Framework manual, multipart can be handled in 2 ways:
- 使用 Apache 公共文件上传
使用 servlet 3.0 配置
- using Apache commons fileupload
using servlet 3.0 configuration
- 您遵循了相关帖子的第一个解决方案,并在
mvc-dispatcher-servlet.xml中配置了一个CommonsMultipartResolver.第一个问题是MultipartFilter与全局 ServletContext 相关,并在根应用程序上下文中而不是在 servlet 特定上下文中查找其MultipartResolver.
- You followed first solution of the related post and configured a
CommonsMultipartResolverinmvc-dispatcher-servlet.xml. The first problem is that theMultipartFilteris related to the global ServletContext and looks for itsMultipartResolverin root application context not in servlet specific context.
第二个问题是您忘记在 pom.xml 中添加对 Apache 公共文件上传的依赖.
The second problem it that you forgot to add a dependancy on Apache commons fileupload in your pom.xml.
所以你必须首先在你的pom.xml
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
接下来,您必须从 mvc-dispatcher-servlet.xml 中删除 filterMultipartResolver bean,并在根应用程序上下文中声明它.作为快速而肮脏的修复,您可以将其添加到 spring-security.xml 中:
Next you must remove the filterMultipartResolver bean from mvc-dispatcher-servlet.xml and declare it in root application context. As a quick and dirty fix, you can add it into spring-security.xml :
<beans:bean id="filterMultipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<beans:property name="maxUploadSize" value="100000000" />
</beans:bean>
- 另一种配置是使用 servlet 3.0 的多部分处理.不需要依赖 apache commons fileupload,也不需要在配置中添加任何 bean,因为
MultipartFilter使用StandardServletMultipartResolver作为默认值.
- An alternative configuration would have been to use the multipart handling of servlet 3.0.
No need to depend on apache commons fileupload, nor to add any bean to the configuration, because
MultipartFilteruses aStandardServletMultipartResolveras a default.
您只需要在web.xml
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<multipart-config>
<!--location>/tmp</location-->
<max-file-size>1000000</max-file-size>
</multipart-config>
</servlet>
这篇关于Spring Security 3.2、CSRF 和多部分请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
