堆栈内存溢出
  简体   繁体   English

没有 jsp 的 csrf 令牌(spring mvc)

[英]csrf token without jsp (spring mvc)

 原文  2015-08-11 05:44:20       spring/ rest/ security/ token/ csrf

问题描述

I enabled csrf token in config of Spring security.我在 Spring 安全配置中启用了 csrf 令牌。 But how mobile device recieve csrf token?但是移动设备如何接收 csrf 令牌? When I had jsp, it looked like:当我有 jsp 时,它看起来像:

<input type='hidden' name='${_csrf.parameterName}' value='${_csrf.token}'/>

But now I have no jsp... so any way to send csrf manually?但是现在我没有 jsp... 那么有什么方法可以手动发送 csrf 吗?

4 个解决方案

解决方案1
 1 已采纳  2015-08-11 05:51:42

A popular practice is to code a filter to attach the token as a cookie. 一种流行的做法是对过滤器进行编码,以将令牌作为cookie附加。 Your client then sends a GET request first to fetch that cookie. 然后,您的客户端首先发送GET请求以获取该Cookie。 For the subsequent requests, that cookie is then sent back as a header. 对于后续请求,该Cookie然后作为标头发送回。

You can look at the official Spring Angular guide , and refer to Spring Lemon 's source code for a detailed implementation. 您可以查看官方的Spring Angular指南 ,并参考Spring Lemon的源代码以获取详细的实现。

解决方案2
 0  2015-08-11 09:29:40

You could implement a stateless CSRF protection. 您可以实施无状态CSRF保护。 One solution nicely explained by Robbert van Waveren is to have the clients generate and send the same unique secret value in both a Cookie and a custom HTTP header : Robbert van Waveren很好地解释了一种解决方案即让客户端在Cookie和自定义HTTP标头中生成并发送相同的唯一秘密值

Considering a website is only allowed to read/write a Cookie for its own domain, only the real site can send the same value in both headers. 考虑到仅允许网站为其自己的域读取/写入Cookie,因此只有真实网站才能在两个标头中发送相同的值。 Using this approach all your server has to do is check if both values are equal, on a stateless per request basis! 使用这种方法,您的服务器要做的就是在每个请求无状态的基础上检查两个值是否相等!

解决方案3
 0  2022-10-10 18:57:52

You may obtain it by looking inside of the _csrf attribute.您可以通过查看_csrf属性来获取它。

import javax.servlet.http.HttpServletRequest;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.web.bind.annotation.*;

@RestController
@RequestMapping("/csrf_token")
public class CsrfTokenController {
    @GetMapping
    public String getToken(HttpServletRequest request) {
        CsrfToken token = (CsrfToken) request.getAttribute("_csrf");

        return token.getToken();
    }
}

解决方案4
 -1  2015-08-11 06:07:58

If CSRF is enabled, you have to include a _csrf.token in the page you want to login or logout. 如果启用了CSRF,则必须在要登录或注销的页面中包含_csrf.token。 Otherwise, both login and logout function will be failed. 否则,登录和注销功能都将失败。

Refer this for more help. 请参阅此以获得更多帮助。

EDIT: You can get csrf token from request and send it according to your need. 编辑:您可以从请求中获取csrf令牌,并根据需要发送它。 I have shared two references for csrf token please go through them. 我共享了两个有关CSRF令牌的参考,请仔细阅读它们。 It will help you. 它会帮助你。

First Ref 第一参考
Second Ref 第二参考

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Spring Security中发送一些没有csrf令牌的jsp表单 - How can I send some jsp forms without csrf token in spring security Spring 3.1 MVC,Spring Security 3.1 - CSRF令牌 - Spring 3.1 MVC, Spring Security 3.1 - CSRF token CSRF令牌在文件上传时为空-Spring MVC - CSRF token is null on file upload- spring mvc 不接受CSRF令牌(春季) - CSRF Token not accepted (Spring) Spring 安全的 CSRF 令牌 - 我可以使用纯 HTML,还是需要 JSP? - Spring security's CSRF token - can I use pure HTML, or do I need JSP? Redis Spring Session中的CSRF令牌 - CSRF token in redis spring session Spring CSRF令牌和API资源 - Spring CSRF Token & API Resource 会话中的春季csrf令牌 - spring csrf token from session 重命名Spring CSRF令牌变量 - Renaming Spring csrf token variable 使用Spring MVC和Spring Security以登录形式将CSRF令牌清空为空白 - CSRF Token coming empty in login form using Spring MVC and Spring Security
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM