将Spring Security升级到3.2.0.RELEASE不再在Spring taglib中提供CSRF令牌 [英] Upgrading Spring Security to 3.2.0.RELEASE no longer provides CSRF token in Spring taglib

问题描述

我的项目使用的是Spring Security 3.2.0.RC2，而我的JSP使用的是Spring taglib的form：form标签，将CSRF令牌自动插入到我的表单中。

My project was using Spring Security 3.2.0.RC2 and my JSP's used the Spring taglib's form:form tag to automatically insert the CSRF token into my forms.

升级到Spring Security 3.2.0.RELEASE之后，我发现form：form标记不再自动将CSRF令牌插入到我的表单中，现在我必须通过将其放入我的表单中来手动添加它：
< input type = hidden name = $ {_ csrf.parameterName} value = $ {_ csrf.token} />

After upgrading to Spring Security 3.2.0.RELEASE, I'm finding that the form:form tag no longer automatically inserts the CSRF token into my form, and that I now must manually add it via placing this in my form: <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

还有其他人吗遇到同样的问题？如果是这样，您如何解决？谢谢。

Has anyone else encountered the same issue? If so, what did you do for a workaround? Thanks.

推荐答案

您需要确保使用的是 @EnableWebMvcSecurity 注释，而不是@EnableWebSecurity 注释guides / hellomvc.html＃logging-out> Hello Spring MVC安全性Java配置。添加新注释的原因是为了解决 SEC-2436 。您会注意到，添加了 SEC-2463 ，以便在参考的CSRF部分中更好地对此进行记录。

You need to ensure you are using the @EnableWebMvcSecurity annotation instead of the @EnableWebSecurity annotation as described in Hello Spring MVC Security Java Config. The reason adding the new annotation was to resolve SEC-2436. You will notice that SEC-2463 was added to better document this within the CSRF part of the reference.

这篇关于将Spring Security升级到3.2.0.RELEASE不再在Spring taglib中提供CSRF令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！