[英]Spring Security CSRF Token not working with AJAX
I have a problem in my spring boot app with the csrf token. 我在使用csrf令牌的spring boot应用程序中遇到问题。
I have a form where I can edit a Person. 我有一个表格,我可以编辑一个人。 A Person can have
一个人可以拥有
Let us now imagine that the person has a car and enter this and store it. 现在让我们想象一下这个人有一辆车然后进入并储存它。 The next time he wants to delete this car and enter another one.
下次他想删除这辆车并进入另一辆车。 I have created that so that there is a list of all of his cars -- he has the option to remove this from the list.
我创建了这个,以便列出他所有的汽车 - 他可以选择从列表中删除它。 Now I'm starting from these pills and want to send with the corresponding ID to the server a POST.
现在我从这些药片开始,并希望使用相应的ID向服务器发送POST。 When I try I get a 403 forbidden and I have no idea why.
当我尝试时,我禁止403,我不知道为什么。
If I change from POST to GET, then it works. 如果我从POST更改为GET,那么它可以工作。
My JavaScript (taken from this site: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag ) 我的JavaScript(取自本网站: http : //docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag )
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
// using JQuery to send a non-x-www-form-urlencoded request
var headers = {};
headers[csrfHeader] = csrfToken;
$.ajax({
url: "./delete/car",
type: "GET",
headers: headers,
});
$.ajax({
url: "./delete/car",
type: "POST",
headers: headers,
});
My controller methods: 我的控制器方法:
@RequestMapping(value = "/{login}/delete/car", method = RequestMethod.GET)
public ModelAndView delete(@PathVariable("login") final String login) {
System.out.println("Stop");
return new ModelAndView("redirect:" + WebSecurityConfig.URL_PERSONS_OVERVIEW);
}
@RequestMapping(value = "/{login}/delete/car", method = RequestMethod.POST)
public ModelAndView deleteInstEmp(@PathVariable("login") final String login) {
System.out.println("Stop");
return new ModelAndView("redirect:" + WebSecurityConfig.URL_PERSONS_OVERVIEW);
}
Any suggestions? 有什么建议么?
Thanks in advance. 提前致谢。
OK, after strugglin with all that, I get the following result. 好吧,在经历了这一切之后,我得到了以下结果。
I added the fail
method to the Ajax construct and get the following message: 我将
fail
方法添加到Ajax构造中并获得以下消息:
"Failed to execute 'setRequestHeader' on 'XMLHttpRequest': '${_csrf.headerName}' is not a valid HTTP header field name."
“无法在'XMLHttpRequest'上执行'setRequestHeader':'$ {_ csrf.headerName}'不是有效的HTTP头字段名称。”
the official spring site advises that you have to put this: <sec:csrfMetaTags />
or from other sources, this: <meta name="_csrf" th:content="${_csrf.token}"/>
in your html file. 官方的春季网站建议你必须把它:
<sec:csrfMetaTags />
或其他来源,这个: <meta name="_csrf" th:content="${_csrf.token}"/>
在你的html文件中。
After this, you should be able to access these attributes in your JavaScript, but in my case I get undefined
and ${_csrf.headerName}
. 在此之后,您应该能够在JavaScript中访问这些属性,但在我的情况下,我得到了
undefined
${_csrf.headerName}
。
A last try was to take the value from the hidden value (chapter 24.5: http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag ). 最后一次尝试是从隐藏值中获取值(第24.5章: http : //docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags -tag )。
Now, I have the following: 现在,我有以下内容:
$(function () {
var token = $("input[name='_csrf']").val();
var header = "X-CSRF-TOKEN";
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});
$.ajax({
url: "./delete/car",
type: "POST",
success:function(response) {
alert(response);
}
});
With this it works like a charm. 有了它,它就像一个魅力。
Another way, you can use the following code: 另一种方法,您可以使用以下代码:
$.ajax({
url : './delete/car',
headers: {"X-CSRF-TOKEN": $("input[name='_csrf']").val()},
type : 'POST',
success : function(result) {
alert(result.msgDetail);
}
})
I suggest you first check if a valid csrf token and the header have been generated using chrome debugger. 我建议您首先检查是否使用chrome调试器生成了有效的csrf令牌和标头。 If not, then have you added the
<sec:csrfMetaTags />
in the <head>
?(you will need to import the spring security taglibs). 如果没有,那么你是否在
<head>
添加了<sec:csrfMetaTags />
(你将需要导入spring security taglibs)。 If using Apache tiles, you will have to add this at the <head>
section of the template file being used for the view. 如果使用Apache磁贴,则必须在用于视图的模板文件的
<head>
部分添加它。
If the token is not empty, then in your security-context/configuration file, check if you have disabled csrf security by any chance. 如果令牌不为空,则在您的安全上下文/配置文件中,检查您是否已经禁用了csrf安全性。 By default it is enabled and needs to be for this process to work.
默认情况下,它已启用,需要此过程才能运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.