春季安全| CSRF元标记不适用于Internet Explorer
[英]Spring Security | CSRF metatags not working for internet explorer
问题描述
I am using spring security 3.2.2 version in my application. 
我在应用程序中使用Spring Security 3.2.2版本。 To protect csrf attack in my application I have used spring security csrf meta tags. 为了保护我的应用程序中的csrf攻击,我使用了spring security csrf元标记。
Here below is my code: 下面是我的代码:
Security.xml Security.xml
In security xml I have added below tag. 在安全xml中,我添加了以下标记。
<csrf/>
There are two jsps. 有两个jsps。 container.jsp and changepassword.jsp container.jsp和changepassword.jsp
In container.jsp I added CSRF tags as below: 在container.jsp中,我添加了CSRF标签,如下所示:
<head>
<sec:csrfMetaTags />
</head>
Also I added changepassword.jsp in container.jsp. 另外,我在container.jsp中添加了changepassword.jsp。
<jsp:include
page="/path/changepassword.jsp"
flush="true" />
So I am hoping csrf metatags added in container.jsp should also applied to changepassword.jsp as container.jsp is parent page. 所以我希望在container.jsp中添加的csrf元标记也应应用于changepassword.jsp,因为container.jsp是父页面。
And changepassword.jsp is created to include in other page only so it does not contain any head tag. 并且changepassword.jsp被创建为仅包含在其他页面中,因此它不包含任何head标记。
Above code is working file with Chrome and mozilla, But for internet explorer (version 11) it is not working and throwing below error, 上面的代码是适用于Chrome和mozilla的工作文件,但是对于Internet Explorer(版本11)而言,它无法工作并且抛出错误,
exception
java.lang.IllegalStateException: Parameters processing failed.
org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:407)
org.apache.tomcat.util.http.Parameters.processParameters(Parameters.java:229)
org.apache.catalina.connector.Request.parseParameters(Request.java:2874)
org.apache.catalina.connector.Request.getParameter(Request.java:1291)
org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:363)
javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:180)
javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:180)
org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:91)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.session.ConcurrentSessionFilter.doFilter(ConcurrentSessionFilter.java:125)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:
I am not getting whether it is a known issue from internet explorer side or should I need to some different configuration for internet explorer? 我不知道这是Internet Explorer方面的已知问题,还是我需要Internet Explorer的一些其他配置? Please assist. 请协助。 Thanks in advance 提前致谢
1 个解决方案
解决方案1
0 2014-05-13 14:27:30
Google seems to indicate this is an error in Wildfly / JBoss . Google似乎表明这是Wildfly / JBoss中的错误。 It may be triggered by the fact that one of your HTTP parameters is included twice in the request or has an empty string value. 您的HTTP参数之一在请求中包含两次或具有空字符串值的事实可能会触发该事件。
The exact error is unlikely to be caused by Spring Security since it is simply trying to access the HTTP parameters. 确切的错误不太可能由Spring Security引起,因为它只是尝试访问HTTP参数。 However, it is possible that improper setup of Spring Security is causing the Wildfly / JBoss error to occur. 但是,Spring Security的不正确设置很可能导致Wildfly / JBoss错误发生。 If this doesn't help, you might post the HTTP request (including all the parameters) that is submitted to your application server and the application server name and version you are using. 如果这样做没有帮助,则可以发布提交到应用程序服务器的HTTP请求(包括所有参数)以及正在使用的应用程序服务器名称和版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.