弹出对仅HTML *登录页面的CSRF保护 [英] Springs CSRF protection for a HTML *only* login page

问题描述

我试图利用Spring Security内置的CSRF保护。这些是我使用的春天版本：Spring Framework安全性 - 4.2.1 Spring安全性 - 4.0.2

春季安全性文档提到登录页面也必须受到保护，以防止CSRF攻击。我发现我的登录不起作用，当我启用CSRF保护（并没有令牌传递） - 如预期。

我的登录页面是纯HTML页面（不是JSP），我无法使用任何Spring或JSTL标记。我正在考虑实施类似于此处描述的解决方案 -

-security-3-2-0-release-how-can-i-get-the-csrf-token-in-a-page-that>使用Spring Security 3.2.0.RELEASE，我怎样才能获得CSRF令牌在一个完全没有标签库的HTML页面中

上述链接中解释的解决方案（作者的博客链接在接受的答案的评论中）是在登录页面上进行AJAX调用，它将获得CSRF令牌的值，然后将其包含在登录请求中。

但是，spring文档也是提到一旦访问csrfToken就会创建一个新的HttpSession。我有几个担心 -

1. 我的ajax调用获取csrf标记不会被保护，因为我必须调用它 在访问CSRF令牌后立即生成新的HttpSession，这一事实也令人担忧，因为ajax调用不是其他应用程序只能进行AJAX或REST调用，并计划实现客户端拦截器以包含一旦用户登录，头文件中的CSRF标记（据我所知，用户会话中有一个CsrfToken）

   
   
   

   有没有人有关于保护纯粹是用Spring的CSRF保护的HTML登录页面？
   

   解决方案

   <1>如果你研究 CSRF漏洞，你会发现getti没有漏洞通过GET请求加入令牌。

   
   
   

   2）登录/注销等后，当创建新会话时，令牌将会改变，您可能需要获取它再次。在这篇文章中对此进行了更多讨论。

   
   
   

   Spring Lemon 的源代码将会是有关如何使用AJAX + CSRF的很好的参考。另请参阅官方指南。

   
   

   I'm trying to leverage spring security's built in CSRF protection. These are the spring versions i'm using:

   Spring Framework version - 4.2.1

   Spring security - 4.0.2

   The spring security documentation mentions that the login page must also be protected against CSRF attacks. I see that my login does not work when i enable CSRF protection (and no token is passed) - as expected.

   My login page is a pure HTML page (not a JSP) and i cannot make use of any Spring or JSTL tags. I'm thinking about implementing a solution similar to the one described here -

   With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs

   The solution as explained in the above link(the author's blog linked in the comment to the accepted answer) is to make a AJAX call on the login page that will get the value of the CSRF token and to then include it in the login request

   However, the spring documentation also mentions that a new HttpSession will be created as soon as the csrfToken is accessed. I have a couple of concerns-

   1. My ajax call to get the csrf token will not be secured since i have to invoke it before the login.

   2. The fact that a new HttpSession is generated as soon as the CSRF token is accessed is also cause for concern given that the ajax call is not secured.

   The rest of the application only makes AJAX or REST calls and I plan on implementing client interceptors to include the CSRF token in the header once the user is logged in.(As i understand it, there is one CsrfToken for the user session)

   Does anyone have an idea on securing a purely HTML login page with spring's CSRF protection?

   解决方案

   1) If you study about the CSRF vulnerability closely, you'll find that there would be no loophole in getting the token through a GET request.

   2) After login/logout etc, when a new session is created, the token will change, and you may need to fetch it again. It's discussed more in this post.

   Spring Lemon's source code would be a good reference on how to use AJAX+CSRF. See also this official guide.

   这篇关于弹出对仅HTML *登录页面的CSRF保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！