Spring:以编程方式生成新的csrf标记
[英]Spring: Generate new csrf token programmatically
问题描述
I'm trying to make a webapp that will run on a single HTML page that will allow users to interact with the server through JavaScript and ajax. 
我正在尝试制作一个将在单个HTML页面上运行的webapp,允许用户通过JavaScript和ajax与服务器进行交互。 I'd like to make my requests safe against csrf attacks by including a csrf token in each request. 我想通过在每个请求中包含一个csrf令牌来确保我的请求对csrf攻击是安全的。
Because my webapp will only be operating on a single page, I can't use the ${_csrf.token} (or something like that) syntax in the view because the view is going to be a json object. 因为我的webapp只能在一个页面上运行,所以我不能在视图中使用$ {_ csrf.token}(或类似的东西)语法,因为视图将是一个json对象。 Instead I'd like to have a url like "/security/csrf" that returns a token associated with the user's session. 相反,我希望有一个像“/ security / csrf”这样的URL,它返回与用户会话相关联的令牌。 (Yes, this won't be a restful service exactly.) (是的,这不会是一个宁静的服务。)
Is there some way for me to generate a csrf token that Spring Security will be able to access when verifying a log-in? 有没有办法让我生成一个csrf令牌,Spring Security在验证登录时能够访问该令牌? And additionally, is there a flaw in using csrf tokens in this way? 另外,以这种方式使用csrf令牌是否存在缺陷?
1 个解决方案
解决方案1
1 已采纳 2015-04-18 23:39:22
Token per request will kill caching. 每个请求的令牌将终止缓存。 Token per session is just as safe. 每个会话的令牌同样安全。
In your first html response, include the csrf token in a meta tag, like the docs say: http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-include-csrf-token-ajax 在您的第一个html响应中,在元标记中包含csrf标记,例如文档说: http ://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf- 包括-CSRF令牌阿贾克斯
You can use the same token across requests (in the same session) 您可以跨请求使用相同的令牌(在同一会话中)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.