Spring Security 3.2.0 CSRF令牌在Freemarker模板中不起作用 [英] spring security 3.2.0 csrf token not working in freemarker template

问题描述

升级到Spring Security 3.2.0并配置xml后，_csrf令牌不起作用。

基本知识：

• Spring 4.0.1


• Spring Security 3.2.0。


• Freemarker模板语言

第1步-Spring Security xml配置：

 <！-通过csrf-element启用csrf保护-> 
< sec：http> 
<！--> 
< sec：csrf token-repository-ref = csrfTokenRepository /> 
< / sec：http> 
 
< ;!-重写headerName-> 
< bean id = csrfTokenRepository class = org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository> 
<属性名称= headerName值= X-SECURITY /> 
< / bean> 
  

步骤2-免费标记模板：

 < form accept-charset = UTF-8 action = / portal method = POST name = formAddItemToCart> 
<！-...-> 
 
< ;!-inlcude csrf令牌-> 
<输入类型=隐藏 
 name = $ {_ csrf.parameterName} 
 value = $ {_ csrf.token} /> 
< / form> 
  

步骤3-呈现的输出：

 < form accept-charset = UTF-8 action = / portal method = POST name = formAddItemToCart> 
<！-...-> 
 
<输入类型= hidden name = value = /> 
< / form> 
  

步骤4-freemarker模板错误：

< pre $ = lang-html prettyprint-override> FreeMarker模板错误：
以下内容评估为null或丢失：
==> _csrf [在第28行第21列的模板 cart.ftl中]


参考：
http：// docs。 spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#csrf

目前我正在调试整个系统应用。

我不知道问题出在哪里-但csrf似乎无法与freemarker一起使用。通常可以在freemarker模板中包含csrf令牌吗？您有任何建议或解决方案吗？

解决方案

更新：

xml配置不正确。
我找到了这种解决方案，对我有很大帮助。
https://github.com/spring-projects/ spring-mvc-showcase / commit / 361adc124c05a8187b84f25e8a57550bb7d9f8e4

现在我的文件如下：

security.xml

 < sec：http> 
<！-...-> 
< sec：csrf /> 
< / sec：http> 
 
< bean id = requestDataValueProcessor class = org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor /> 
 
< bean id = csrfFilter class = org.springframework.security.web.csrf.CsrfFilter> 
< constructor-arg> 
< bean class = org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository> 
<属性名称= headerName值= X-SECURITY /> 
< / bean> 
< / constructor-arg> 
< / bean> 
  

web.xml

 < filter> 
< filter-name> csrfFilter< / filter-name> 
< filter-class> org.springframework.web.filter.DelegatingFilterProxy< / filter-class> 
< async-supported> true< / async-supported> 
< / filter> 
 
< filter-mapping> 
< filter-name> csrfFilter< / filter-name> 
< url-pattern> / *< / url-pattern> 
< / filter-mapping> 
  

After uprading to Spring Security 3.2.0 and configuring the xml, the _csrf token is not working.

Fundamentals:

• Spring 4.0.1
• Spring Security 3.2.0.
• Freemarker Template Language

Step 1 - the spring security xml configuration:

<!-- enable csrf protection via csrf-element -->
<sec:http>
    <!-- -->
    <sec:csrf token-repository-ref="csrfTokenRepository" />
</sec:http>

<!-- rewrite headerName -->
<bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
    <property name="headerName" value="X-SECURITY" />
</bean>

Step 2 - the freemarker template:

<form accept-charset="UTF-8" action="/portal" method="POST" name="formAddItemToCart">
    <!-- ... -->

    <!-- inlcude csrf token -->
    <input type="hidden"
           name="${_csrf.parameterName}"
           value="${_csrf.token}"/>
</form>

Step 3 - the rendered output:

<form accept-charset="UTF-8" action="/portal" method="POST" name="formAddItemToCart">
    <!-- ... -->

    <input type="hidden" name="" value=""/>
</form>

Step 4 - the freemarker template error:

FreeMarker template error:
The following has evaluated to null or missing:
==> _csrf  [in template "cart.ftl" at line 28, column 21]

Reference: http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#csrf

Currently i'm debugging the whole application.

I don't know where exactly the problem is - but it seems that csrf isn't working with freemarker. Is this generally possible to include the csrf token in the freemarker template? Do you have any suggestions or solutions?

解决方案

UPDATE:

xml configuration was not made properly. I've found this solution which helps me lot. https://github.com/spring-projects/spring-mvc-showcase/commit/361adc124c05a8187b84f25e8a57550bb7d9f8e4

Now my files look like these:

security.xml

    <sec:http>
        <!-- ... -->
        <sec:csrf />
</sec:http>

<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"/>

<bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
    <constructor-arg>
        <bean class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
            <property name="headerName" value="X-SECURITY" />
        </bean>
    </constructor-arg>
</bean>

web.xml

 <filter>
    <filter-name>csrfFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <async-supported>true</async-supported>
</filter>

<filter-mapping>
    <filter-name>csrfFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

这篇关于Spring Security 3.2.0 CSRF令牌在Freemarker模板中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！