[英]Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
After configuring Spring Security 3.2, _csrf.token
is not bound to a request or a session object. 配置Spring Security 3.2后,
_csrf.token
未绑定到请求或会话对象。
This is the spring security config: 这是spring security配置:
<http pattern="/login.jsp" security="none"/>
<http>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=1"
default-target-url="/index.jsp"/>
<logout/>
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="test" password="test" authorities="ROLE_USER/>
</user-service>
</authentication-provider>
</authentication-manager>
The login.jsp file login.jsp文件
<form name="f" action="${contextPath}/j_spring_security_check" method="post" >
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<button id="ingresarButton"
name="submit"
type="submit"
class="right"
style="margin-right: 10px;">Ingresar</button>
<span>
<label for="usuario">Usuario :</label>
<input type="text" name="j_username" id="u" class="" value=''/>
</span>
<span>
<label for="clave">Contraseña :</label>
<input type="password"
name="j_password"
id="p"
class=""
onfocus="vc_psfocus = 1;"
value="">
</span>
</form>
And it renders the next html: 它呈现下一个HTML:
<input type="hidden" name="" value="" />
The result is 403 HTTP status: 结果是403 HTTP状态:
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
UPDATE After some debug, the request object gets out fine form DelegatingFilterProxy, but in the line 469 of CoyoteAdapter it executes request.recycle(); 更新在一些调试之后,请求对象从DelegatingFilterProxy中获得良好的形式,但是在CoyoteAdapter的第469行中它执行request.recycle(); that erases all the attributes...
删除所有属性......
I test in Tomcat 6.0.36, 7.0.50 with JDK 1.7. 我使用JDK 1.7在Tomcat 6.0.36,7.0.50中进行测试。
I have not understood this behavior, rather than, it would be possible if someone point me in the direction of some application sample war with Spring Security 3.2 that works with CSRF. 我没有理解这种行为,而不是,如果有人指出我使用与CSRF一起工作的Spring Security 3.2的应用程序样本战争的方向,那么这是可能的。
It looks like the CSRF (Cross Site Request Forgery) protection in your Spring application is enabled. 看起来您的Spring应用程序中的CSRF(跨站点请求伪造)保护已启用。 Actually it is enabled by default.
实际上它是默认启用的。
According to spring.io : 根据spring.io :
When should you use CSRF protection?
什么时候应该使用CSRF保护? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users.
我们的建议是对普通用户可以由浏览器处理的任何请求使用CSRF保护。 If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
如果您只创建非浏览器客户端使用的服务,则可能需要禁用CSRF保护。
So to disable it: 所以要禁用它:
@Configuration
public class RestSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
If you want though to keep CSRF protection enabled then you have to include in your form the csrftoken
. 如果您希望保持启用CSRF保护,则必须在表单中包含
csrftoken
。 You can do it like this: 你可以这样做:
<form .... >
....other fields here....
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
You can even include the CSRF token in the form's action: 您甚至可以在表单的操作中包含CSRF令牌:
<form action="./upload?${_csrf.parameterName}=${_csrf.token}" method="post" enctype="multipart/form-data">
If you will apply security="none"
then no csrf token will be generated. 如果您将应用
security="none"
则不会生成csrf令牌。 The page will not pass through security filter. 该页面不会通过安全筛选器。 Use role ANONYMOUS.
使用角色ANONYMOUS。
I have not gone in details, but it is working for me. 我没有详细介绍,但它对我有用。
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.jsp" access="hasRole('ANONYMOUS')" />
<!-- you configuration -->
</http>
Try to change this: <csrf />
to this : <csrf disabled="true"/>
. 尝试更改此:
<csrf />
到此: <csrf disabled="true"/>
。 It should disable csfr. 它应该禁用csfr。
使用百里香叶,您可以添加:
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
Spring documentation to disable csrf: https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-configure 用于禁用csrf的Spring文档: https ://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-configure
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
I used to have the same problem. 我曾经有过同样的问题。
Your config use security="none" so cannot generate _csrf: 您的配置使用security =“none”,因此无法生成_csrf:
<http pattern="/login.jsp" security="none"/>
you can set access="IS_AUTHENTICATED_ANONYMOUSLY" for page /login.jsp replace above config: 您可以为页面/login.jsp设置access =“IS_AUTHENTICATED_ANONYMOUSLY”替换上面的配置:
<http>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=1"
default-target-url="/index.jsp"/>
<logout/>
<csrf />
</http>
i think csrf only works with spring forms 我认为csrf只适用于弹簧形式
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
change to form:form
tag and see it that works. 更改为
form:form
标签并查看其有效。
请在Github上查看我的工作示例应用程序并与您的设置进行比较。
Neither one of the solutions worked form me. 这些解决方案都没有形成我。 The only one that worked for me in Spring form is:
Spring中唯一能为我工作的是:
action="./upload? ${_csrf.parameterName} =${_csrf.token}" action =“./ upload? $ {_ csrf.parameterName} = $ {_ csrf.token}”
REPLACED WITH: 替换为:
action="./upload? _csrf =${_csrf.token}" action =“./ upload? _csrf = $ {_ csrf.token}”
(Spring 5 with enabled csrf in java configuration) (在配置中启用了csrf的Spring 5)
In your controller add the following: 在您的控制器中添加以下内容:
@RequestParam(value = "_csrf", required = false) String csrf
And on jsp page add 并在jsp页面上添加
<form:form modelAttribute="someName" action="someURI?${_csrf.parameterName}=${_csrf.token}
I have used Spring 4.2.3 version jar for spring security but I got the same error. 我使用Spring 4.2.3版本的jar来保证弹簧安全,但我得到了同样的错误。 Then I downgraded to 3.1.4 and this work perfectly.
然后我降级到3.1.4,这完美。
Here is my dependencies from pom.xml: 这是我从pom.xml的依赖项:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>3.2.3.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.26</version>
</dependency>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate</artifactId>
<version>3.5.4-Final</version>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>5.0.1.Final</version>
</dependency>
<dependency>
<groupId>commons-validator</groupId>
<artifactId>commons-validator</artifactId>
<version>1.4.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.