Spring Security 3.2，CSRF和多部分请求 [英] Spring Security 3.2, CSRF and multipart requests

问题描述

此问题与此网址上的问题有关
Spring Security 3.2 CSRF支持多部分请求

This question is in relation to the question at this url Spring Security 3.2 CSRF support for multipart requests

我尝试了这个完全相同的设置以及要点但除非我在网址中有_csrf令牌，否则我无法工作。我在表单主体中将它作为隐藏字段并在安全过滤器之前指定了过滤器，但没有任何欢乐，并且每次都使用无效csrf令牌的调试日志消息失败

I tried this exact same setup as well as the gist but I cannot get this to work unless I have the _csrf token in the url. I had it in the form body as a hidden field and had the filter specified before the security filter but with no joy and it failed every time with the debug log message of an invalid csrf token

对此的任何帮助将不胜感激

Any help on this would be greatly appreciated

Cheers Damien

Cheers Damien

推荐答案

没有要点就很难找到，但我终于明白了！

It would have been very hard to find without the gist but I finally got it !

实际上它与Spring安全无关。真正的问题只出现在SpringFramework多部分配置中。但正因为如此，请求似乎根本没有参数（既没有 _csrf ，也没有文件）和第一个检测它是 CsrfFilter 。我删除了有关安全性的所有内容，错误是请求的参数文件不存在（或类似的东西......）

In fact it has nothing to do with Spring security. The real problem was only in SpringFramework multipart configuration. But because of it, the request appeared to have no parameter at all (neither _csrf, nor file) and the first to detect it was CsrfFilter. I removed everything about security, and the error was Requested parameter file absent (or something like it ...)

如 Spring Framework手册中所述，可以通过两种方式处理多部分：

As detailed in Spring Framework manual, multipart can be handled in 2 ways:

• 使用Apache commons fileupload



• 使用servlet 3.0配置

• using Apache commons fileupload

• using servlet 3.0 configuration

1. 您关注了相关帖子的第一个解决方案，并在 mvc-dispatcher-中配置了 CommonsMultipartResolver servlet.xml中。第一个问题是 MultipartFilter 与全局ServletContext相关，并在根应用程序上下文中查找其 MultipartResolver servlet特定上下文。

1. You followed first solution of the related post and configured a CommonsMultipartResolver in mvc-dispatcher-servlet.xml. The first problem is that the MultipartFilter is related to the global ServletContext and looks for its MultipartResolver in root application context not in servlet specific context.

第二个问题是你忘了在中添加Apache commons fileupload的依赖性pom.xml 。

The second problem it that you forgot to add a dependancy on Apache commons fileupload in your pom.xml.

所以你必须先在 pom.xml

<dependency>
    <groupId>commons-fileupload</groupId>
    <artifactId>commons-fileupload</artifactId>
    <version>1.3.1</version>
</dependency>

接下来你必须从中删除 filterMultipartResolver bean mvc-dispatcher-servlet.xml 并在根应用程序上下文中声明它。作为快速而又脏的修复，您可以将其添加到 spring-security.xml ：

Next you must remove the filterMultipartResolver bean from mvc-dispatcher-servlet.xml and declare it in root application context. As a quick and dirty fix, you can add it into spring-security.xml :

<beans:bean id="filterMultipartResolver"
      class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
    <beans:property name="maxUploadSize" value="100000000" />
</beans:bean>

1. 另一种配置是使用servlet 3.0的多部分处理。
   无需依赖apache commons fileupload，也不需要在配置中添加任何bean，因为 MultipartFilter 使用 StandardServletMultipartResolver 作为默认值。

1. An alternative configuration would have been to use the multipart handling of servlet 3.0. No need to depend on apache commons fileupload, nor to add any bean to the configuration, because MultipartFilter uses a StandardServletMultipartResolver as a default.

您只需添加< multipart-config> 元素在 web.xml中的 DispatcherServlet 的声明中

You simply need to add a <multipart-config> element in the declaration of the DispatcherServlet in web.xml

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <multipart-config>
        <!--location>/tmp</location-->
        <max-file-size>1000000</max-file-size>
    </multipart-config>
</servlet>

这篇关于Spring Security 3.2，CSRF和多部分请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！