带有multipart/form-data的Spring Security 3.2.0 RC1 CSRF [英] Spring security 3.2.0 RC1 csrf with multipart/form-data
问题描述
我一直在使用Spring Security 3.2.0.RC1中的新csrf功能,并注意到它似乎不适用于enctype ="multipart/form-data"表单.
I've been playing with the new csrf functionality in Spring Security 3.2.0.RC1, and noticed that it doesn't seem to work with enctype="multipart/form-data" forms.
我有一个简单的Spring表单:
I have a simple Spring form:
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
...
<form:form action="${pageContext.request.contextPath}/model/create" modelAttribute="myForm" enctype="multipart/form-data">
并且隐藏的csrf输入正按预期方式呈现:
and the hidden csrf input is being rendered as expected:
<input type="hidden" value="..." name="_csrf">
,但该请求未通过csrf检查(如果我删除enctype ="multipart/form-data",它可以正常工作).我发现的唯一方法是在动作网址后附加?_csrf = ...",这很丑陋,因为令牌随后在重定向时显示在地址栏中.有没有人经历过相同的事情/找到了一个不错的解决方案?
but the request fails the csrf check (it works fine if I remove enctype="multipart/form-data"). The only way i've found around this is to append "?_csrf=..." to my action url, which is ugly as the token then appears in the address bar on redirect. Has anyone experienced the same/found a nice solution?
推荐答案
当前,CSFR保护需要/读取请求参数,但是由于您使用的表单类型不同,因此无法将表单内容用作请求参数.如果将其添加到URL,它将作为请求参数提供.
Currently the CSFR protection requires/reads a request parameter, however due to your different type of form the form content isn't available as request parameters. If you add it to the URL it will be available as request parameter.
在DispatcherServlet内部有多部分检测,并且这样的请求被包装在
Inside the DispatcherServlet there is multipart detection and such a request is wrapped in an implementation of a MultipartHttpServletRequest, which decodes the multipart request and makes the content available as request parameters.
但是,在此之前执行Spring Security过滤器.在没有最终解决方案之前,您可以配置
However the Spring Security filters execute before that. Until there is a final solution you can configure the MultipartFilter and execute it before the Spring Security filter chain. That basically pulls the wrapping en decoding in front of the DispatcherServlet. One thing to remind here is that you need to also put it before the Spring Security filter.
示例配置和其他解决方案可在Spring Security 参考指南.
Example configuration and additional solutions can be found in the Spring Security reference guide.
这篇关于带有multipart/form-data的Spring Security 3.2.0 RC1 CSRF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
