启用S​​pring Security的ExtJS存储SYNC [英] ExtJS Store SYNC with Spring Security ON

问题描述

我是Spring Security的新手，并且已将其添加到我的项目中.一切似乎都可以完美地进行登录/注销，甚至可以跨屏幕浏览.只有当我尝试使用ExtJS网格并在商店中添加一条记录，然后调用商店的 sync()方法时，我才得到-

I am new to Spring Security and I have added it to my project. Everything seems to work perfectly Login/Logout and even navigating across screens. Only when I tried to have an ExtJS grid and added a record in the store and then called the sync() method of the store, I got -

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.

我知道我需要在请求中传递_csrf，但是我想与大家分享完成这项工作的最佳方法.请帮忙.

I know that I need to pass _csrf with the request but I would like to know from all of you about the best way to get this done. Please help.

当调用商店上的sync()方法时，如何自动将此_csrf与所有AJAX(创建/更新/删除/读取)一起传递?

How can I pass this _csrf with all of the AJAX (create/update/delete/read) automatically when sync() method on the store is called?

安全配置

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserService userService;

    @Autowired
    private BCryptPasswordEncoder encoder;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(encoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_ADMIN')").and().formLogin().and().csrf();

    }
}

ExtJS代码

tbar : [ '->', {
    text : 'Add',
    handler : function(btn) {
        var grid = btn.up('grid');
        var editor = grid.findPlugin('rowediting');
        grid.getStore().insert(0, {});
        editor.startEdit(0, 0);
    }
} ],
bbar : [ '->', {
    text : 'Save',
    handler : function(btn) {
        btn.up('grid').getStore().sync();
    }
} ],

谢谢！

推荐答案

如果您想使用CSRF，则不必在Spring中进行.而是使用侵入性较小的OWASP方法.在包含ExtJS代码的index.jsp或index.html中，可以包含 CSRFGuard 3 CRSF注入，这将导致在任何AJAX请求中注入CRSF. 要在春季启用CSRF，您只需在Spring配置中设置以下内容:

If you want to use CSRF you don't have to do it in Spring. Rather use the less invasive OWASP method. In your index.jsp or index.html where you include your ExtJS code you can include the CSRFGuard 3 CRSF injection which will cause the CRSF to be injected in any AJAX request. To turn of the CSRF in spring you just set something like the following in your Spring configure:

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
  }

或您的情况:

  @Override
  protected void configure(HttpSecurity http) throws Exception 
  {
     http.authorizeRequests().antMatchers("/**").access("hasRole('ROLE_ADMIN')")
       .and().formLogin()
       .and().csrf().disable();
  }

这篇关于启用S​​pring Security的ExtJS存储SYNC的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！