Spring Security CSRF令牌不使用AJAX [英] Spring Security CSRF Token not working with AJAX

问题描述

我的春季启动应用中遇到了csrf令牌的问题。

I have a problem in my spring boot app with the csrf token.

我有一个表单，我可以编辑一个人。一个人可以拥有

I have a form where I can edit a Person. A Person can have

现在让我们想象一下这个人有一辆车并输入并存储它。下次他想删除这辆车并进入另一辆车。我创建了这个，以便列出他所有的汽车 - 他可以选择从列表中删除它。现在我从这些药片开始，并希望使用相应的ID向服务器发送POST。当我尝试时，我禁止403，我不知道为什么。

Let us now imagine that the person has a car and enter this and store it. The next time he wants to delete this car and enter another one. I have created that so that there is a list of all of his cars -- he has the option to remove this from the list. Now I'm starting from these pills and want to send with the corresponding ID to the server a POST. When I try I get a 403 forbidden and I have no idea why.

如果我从POST更改为GET，那么它可以工作。

If I change from POST to GET, then it works.

我的JavaScript（取自本网站： http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag ）

My JavaScript (taken from this site: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag)

var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");

// using JQuery to send a non-x-www-form-urlencoded request
var headers = {};
headers[csrfHeader] = csrfToken;
$.ajax({
    url: "./delete/car",
    type: "GET",
    headers: headers,
});

$.ajax({
     url: "./delete/car",
     type: "POST",
     headers: headers,
});

我的控制器方法：

@RequestMapping(value = "/{login}/delete/car", method = RequestMethod.GET)
    public ModelAndView delete(@PathVariable("login") final String login) {
        System.out.println("Stop");
        return new ModelAndView("redirect:" + WebSecurityConfig.URL_PERSONS_OVERVIEW);
    }

    @RequestMapping(value = "/{login}/delete/car", method = RequestMethod.POST)
    public ModelAndView deleteInstEmp(@PathVariable("login") final String login) {
        System.out.println("Stop");
        return new ModelAndView("redirect:" + WebSecurityConfig.URL_PERSONS_OVERVIEW);
    }

有什么建议吗？

提前致谢。

推荐答案

好的，经过努力，我得到以下结果。

OK, after strugglin with all that, I get the following result.

我将 fail 方法添加到Ajax构造中并获得以下消息：

I added the fail method to the Ajax construct and get the following message:

无法在'XMLHttpRequest'上执行'setRequestHeader'：'$ {_ csrf.headerName}'不是有效的HTTP标头字段名称。

"Failed to execute 'setRequestHeader' on 'XMLHttpRequest': '${_csrf.headerName}' is not a valid HTTP header field name."

官方春季网站建议你必须把它：< sec：csrfMetaTags /> 或来自其他来源，这个：< meta name =_ csrfth：content =$ {_ csrf.token}/> 在你的html文件中。

the official spring site advises that you have to put this: <sec:csrfMetaTags /> or from other sources, this: <meta name="_csrf" th:content="${_csrf.token}"/> in your html file.

在此之后，您应该能够在JavaScript中访问这些属性，但在我的情况下，我得到 undefined 和 $ {_ csrf.headerName} 。

After this, you should be able to access these attributes in your JavaScript, but in my case I get undefined and ${_csrf.headerName}.

最后一次尝试是从隐藏值中取值（ch第24.5节： http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag ）。

A last try was to take the value from the hidden value (chapter 24.5: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag).

现在，我有以下内容：

$(function () {
    var token = $("input[name='_csrf']").val();
    var header = "X-CSRF-TOKEN";
    $(document).ajaxSend(function(e, xhr, options) {
        xhr.setRequestHeader(header, token);
    });
});

$.ajax({
    url: "./delete/car",
    type: "POST",
    success:function(response) {
        alert(response);
    }
});

这就像魅力一样。

这篇关于Spring Security CSRF令牌不使用AJAX的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！