尝试上传时,无效的CSRF令牌Spring 4 MVC [英] Invalid CSRF Token Spring 4 MVC while trying to upload
问题描述
我正在尝试使用Spring MVC 4通过Web应用程序上传文件,但出现错误:
I am trying to upload a file with a web application using Spring MVC 4 but I am getting an error:
在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null'.
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
春季版:
春季版本4.1.7.RELEASE
Spring Version 4.1.7.RELEASE
Spring Security 4.0.1.RELEASE
Spring Security 4.0.1.RELEASE
代码:
web.xml
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>FATCA Web Application</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-web-servlet.xml
</param-value>
</context-param>
<servlet>
<servlet-name>spring-web</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-web</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
</web-app>
spring-web-servlet.xml
spring-web-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
<context:property-placeholder location="classpath:webapp.properties" />
<context:annotation-config />
<context:component-scan base-package="com.opessoftware" />
<mvc:annotation-driven />
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages" />
</bean>
<bean id="viewResolver"
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass"
value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix">
<value>/WEB-INF/views/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
</beans>
Settings.jsp
Settings.jsp
<form:form method="POST" action="uploadFile.html"
enctype="multipart/form-data" security="none">
<table style="width: 100%" border="1">
<tr>
<td colspan="1" style="text-align: left"><input
type="file" name="file" style="width: 100%;" /></td>
<td colspan="1" style="text-align: left"><input
type="submit" value=<spring:message code="uploadSettings" /> />
</td>
</tr>
</table>
</form:form>
提交包含字符串"Test"的名为test.txt
的文件后,发布请求有效内容:
Post request payload contents after submitting a file called test.txt
that contains the string "Test":
Content-Type: multipart/form-data; boundary=---------------------------83935555814334632461054528816
Content-Length: 368
-----------------------------83935555814334632461054528816
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plain
Test
-----------------------------83935555814334632461054528816
Content-Disposition: form-data; name="_csrf"
41f3dc0a-b97f-4dac-bc49-21e02be53818
-----------------------------83935555814334632461054528816--
推荐答案
我通过遵循第二点的一般建议来解决此问题 Spring Security 3.2,CSRF的可接受答案和多部分请求 ,但使用的是Spring Security 4.0.1.RELEASE而不是3.2版.
I fixed this by following the general advice in the second point of the accepted answer to Spring Security 3.2, CSRF and multipart requests, but using Spring Security 4.0.1.RELEASE instead of version 3.2.
将Web应用程序从 Servlet API 2.4 更新为 Servlet API 3.0 :
Updated the Web application from Servlet API 2.4 to Servlet API 3.0:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
....
</web-app>
更改2
使用基于Java的配置,创建了 在 使用Java:
从Maven项目中删除了依赖项 这篇关于尝试上传时,无效的CSRF令牌Spring 4 MVC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!StandardServletMultipartResolver
,它使用Servlet 3.0的多部分处理,不需要
更改3
web.xml
中:<servlet>
<servlet-name>spring-web</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<multipart-config>
<location>/tmp</location>
<max-file-size>1000000</max-file-size>
<max-request-size>1000000</max-request-size>
<file-size-threshold>10000</file-size-threshold>
</multipart-config>
</servlet>
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
public SecurityWebApplicationInitializer() {
super(SecurityConfiguration.class);
}
@Override
protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
final XmlWebApplicationContext appContext = new XmlWebApplicationContext();
appContext.setConfigLocation("/WEB-INF/spring-web-servlet.xml");
final ServletRegistration.Dynamic registration = servletContext.addServlet("dispatcher",
new DispatcherServlet(appContext));
registration.setLoadOnStartup(1);
registration.addMapping("/");
registration.setMultipartConfig(new MultipartConfigElement("", 1000000, 1000000, 100000));
}
}
更改4
commons-fileupload
.