[英]csrf token without jsp (spring mvc)
I enabled csrf token in config of Spring security.我在 Spring 安全配置中启用了 csrf 令牌。 But how mobile device recieve csrf token?
但是移动设备如何接收 csrf 令牌? When I had jsp, it looked like:
当我有 jsp 时,它看起来像:
<input type='hidden' name='${_csrf.parameterName}' value='${_csrf.token}'/>
But now I have no jsp... so any way to send csrf manually?但是现在我没有 jsp... 那么有什么方法可以手动发送 csrf 吗?
A popular practice is to code a filter to attach the token as a cookie. 一种流行的做法是对过滤器进行编码,以将令牌作为cookie附加。 Your client then sends a GET request first to fetch that cookie.
然后,您的客户端首先发送GET请求以获取该Cookie。 For the subsequent requests, that cookie is then sent back as a header.
对于后续请求,该Cookie然后作为标头发送回。
You can look at the official Spring Angular guide , and refer to Spring Lemon 's source code for a detailed implementation. 您可以查看官方的Spring Angular指南 ,并参考Spring Lemon的源代码以获取详细的实现。
You could implement a stateless CSRF protection. 您可以实施无状态CSRF保护。 One solution nicely explained by Robbert van Waveren is to have the clients generate and send the same unique secret value in both a Cookie and a custom HTTP header :
Robbert van Waveren很好地解释了一种解决方案,即让客户端在Cookie和自定义HTTP标头中生成并发送相同的唯一秘密值 :
Considering a website is only allowed to read/write a Cookie for its own domain, only the real site can send the same value in both headers.
考虑到仅允许网站为其自己的域读取/写入Cookie,因此只有真实网站才能在两个标头中发送相同的值。 Using this approach all your server has to do is check if both values are equal, on a stateless per request basis!
使用这种方法,您的服务器要做的就是在每个请求无状态的基础上检查两个值是否相等!
You may obtain it by looking inside of the _csrf
attribute.您可以通过查看
_csrf
属性来获取它。
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/csrf_token")
public class CsrfTokenController {
@GetMapping
public String getToken(HttpServletRequest request) {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
return token.getToken();
}
}
If CSRF is enabled, you have to include a _csrf.token in the page you want to login or logout. 如果启用了CSRF,则必须在要登录或注销的页面中包含_csrf.token。 Otherwise, both login and logout function will be failed.
否则,登录和注销功能都将失败。
Refer this for more help. 请参阅此以获得更多帮助。
EDIT: You can get csrf token from request and send it according to your need. 编辑:您可以从请求中获取csrf令牌,并根据需要发送它。 I have shared two references for csrf token please go through them.
我共享了两个有关CSRF令牌的参考,请仔细阅读它们。 It will help you.
它会帮助你。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.