[英]Spring Rest Service - Invalid CSRF token when I attempt to login
I have a Spring MVC REST service, with Spring Security (3.2.5.RELEASE) enabled. 我有一个Spring MVC REST服务,启用了Spring Security(3.2.5.RELEASE)。 When I turn on @EnableWebMvcSecurity, a login form is automatically generated for me at http://localhost:8080/login .
当我打开@EnableWebMvcSecurity时,会在http:// localhost:8080 / login为我自动生成一个登录表单。 If I use this form to login, everything works just fine.
如果我使用此表单登录,一切正常。
The problem occurs when I attempt to login by sending a POST request directly. 当我尝试通过直接发送POST请求登录时,会发生此问题。 In my post request, I provide the username and password.
在我的帖子请求中,我提供了用户名和密码。 I also include the http header 'X-CSRF-TOKEN' and for the header value, I use the JSESSIONID that I see has been generated in a cookie.
我还包括http标头'X-CSRF-TOKEN',对于标头值,我使用我看到的JSESSIONID已在cookie中生成。 But when I send this POST request, I get back the following result:
但是,当我发送此POST请求时,我得到以下结果:
HTTP Status 403 - Invalid CSRF Token '29F5E49EFE8D758D4903C0491D56433E'
was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
What am I doing wrong? 我究竟做错了什么? Am I providing the wrong token value?
我提供了错误的令牌价值吗? What is this JSESSIONID?
这是什么JSESSIONID? If I don't enter a value for this header, or omit the header all together, it tells me "Null CSRF token found".
如果我没有为此标题输入值,或者一起省略标题,则会告诉我“找到空的CSRF标记”。
Below is my Spring Security configuration: 以下是我的Spring Security配置:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/secure/**").authenticated()
.and()
.formLogin()
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.and()
.httpBasic()
.and()
.csrf();
}
}
I'd really appreciate any help! 我真的很感激任何帮助! Thanks in advance!
提前致谢!
(1) Include the CSRF token within all your AJAX requests.
(1)在所有AJAX请求中包含CSRF令牌。
$(function () {
var token = $('#logoutform>input').val();
var header = $('#logoutform>input').attr('name');
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader('X-CSRF-TOKEN', token);
});
});
(2) Simple request .
(2)简单的要求。
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
You need to send the csrf
token when you submit the login form. 您需要在提交登录表单时发送
csrf
令牌。 Please add the below line in the HTML form: 请在HTML表单中添加以下行:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
you need <meta name="_csrf" content="${_csrf.token}"/>
, https://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/#ajax-requests 你需要
<meta name="_csrf" content="${_csrf.token}"/>
https://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-亮点-CSRF保护/#Ajax的请求
or if you are using thymeleaf <meta name="_csrf" th:content="${_csrf.token}" />
或者如果你使用的是thymeleaf
<meta name="_csrf" th:content="${_csrf.token}" />
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.