春季MVC中的CSRF(跨站点请求伪造)保护 [英] CSRF (Cross-site request forgery) protection in spring MVC
问题描述
我对春季的CSRF(跨站点请求伪造)保护不感到困惑。不,我有我的jsp,控制器和Web服务。我想做的是在Web服务级别上验证令牌,如果令牌匹配,则运行Web服务(在我的情况下,执行db插入)
I'm little confuse in this CSRF (Cross-site request forgery) protection in spring. No I have my jsp and my controller and a web service. What I want to do is validate the token at the web service level and if token is a match, run the web service (In my case do a db insert)
JSP文件
<form:input type="text" class="form-control" path="mName" />
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<div class="form-action">
<input type="submit" value="Save" class="btn btn-primary" />
</div>
</form:form>
我也插入了隐藏标签。现在我该怎么做才能验证此令牌。我在那里有点迷茫。
I've inserted the hidden tag also. Now what should I do to validate this token. I'm little lost there.
在控制器类中,我从表单中获取值到一个对象,然后调用Web服务来保存数据
At the controller class I get the values from the form to an object and call the web ervise to save data
@RequestMapping(method = RequestMethod.POST)
public String processForm(@ModelAttribute(value = "userForm") @Valid UserForm userForm, BindingResult result, ModelMap model) {
//call the web service
}
推荐答案
显然我正在使用Spring Security 3.1.4.RELEASE 。在这里,您可以手动执行此操作。然后我将其更改为 3.2.2.RELEASE ,然后只需要使用
Apparently I was using spring security 3.1.4.RELEASE. here you have do this manually. Then I changed it to 3.2.2.RELEASE and then I just had to use
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
请参阅此链接以查看Spring Security 3.2的新功能
Refer this link to see whats new in spring security 3.2
http:/ /docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#new
当您从3.1.4.RELEASE更改为3.2.2.RELEASE,有许多令人困惑的重构需要做。特别是在 web.xml 和 spring-security.xml 文件中
Be careful, when you change from 3.1.4.RELEASE to 3.2.2.RELEASE, there are lot of confusing re factorings to do. Specially in web.xml and spring-security.xml files
这篇关于春季MVC中的CSRF(跨站点请求伪造)保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!