找不到CSRF令牌
[英]CSRF token not found
问题描述
I am following a tutorial on spring security and I have the following so far: I get following error when I try to login from my login page: 
我正在关注有关spring安全性的教程,到目前为止,我有以下内容:尝试从登录页面登录时出现以下错误:
HTTP Status 403 - Expected CSRF token not found. HTTP状态403-找不到预期的CSRF令牌。 Has your session expired? 您的会话是否已过期?
The solution I found on stackoverflow indicated to add a hidden attribute to the form and I did that. 我在stackoverflow上找到的解决方案指示向表单添加隐藏属性,而我做到了。 this is the attribute: 这是属性:
<input type="hidden" name="${_csrf.parameterName}" value="{_csrf.token}"/>
I have rechecked the code multiple times to and I keep getting the same 403 error even though my code seems to exactly match the Udemy tutorial. 我已经多次检查代码,即使我的代码似乎与Udemy教程完全匹配,我仍然收到相同的403错误。
Thanks in advance. 提前致谢。
My login.jsp page: 我的login.jsp页面:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html>
<html>
<head>
<title>Please login</title>
</head>
<body>
<c:url value="/login" var="loginProcessingUrl"/>
<form action="${loginProcessingUrl}" method="post">
<fieldset>
<legend>Please Login</legend>
<!-- use param.error assuming FormLoginConfigurer#failureUrl contains the query parameter error -->
<c:if test="${param.error != null}">
<div>
Failed to login.
<c:if test="${SPRING_SECURITY_LAST_EXCEPTION != null}">
Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
</c:if>
</div>
</c:if>
<!-- the configured LogoutConfigurer#logoutSuccessUrl is /login?logout and contains the query param logout -->
<c:if test="${param.logout != null}">
<div>
You have been logged out.
</div>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password" name="password"/>
</p>
<!-- if using RememberMeConfigurer make sure remember-me matches RememberMeConfigurer#rememberMeParameter -->
<p>
<label for="remember-me">Remember Me?</label>
<input type="checkbox" id="remember-me" name="remember-me"/>
</p>
<input type="hidden" name="${_csrf.parameterName}" value="{_csrf.token}"/>
<div>
<button type="submit" class="btn">Log in</button>
</div>
</fieldset>
</form>
</body>
</html>
My index.jsp with a logout form: 我的index.jsp具有注销表单:
<!DOCTYPE html>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
<html>
<head>
<meta charset="utf-8">
<title>Welcome</title>
</head>
<body>
<c:url value="/showMessage.html" var="messageUrl" />
<a href="${messageUrl}">Click to enter</a>
<form action="logout" method="post">
<input type="submit" value="logout"/>
<input type="hidden" name="${_csrf.parameterName}" value="{_csrf.token}"/>
</form>
</body>
</html>
My security config file: 我的安全配置文件:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void congigureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
}
public void configure(HttpSecurity http) throws Exception{
http.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.and()
.httpBasic();
}
}
An Empty WebApplicationInitializer: 空的WebApplicationInitializer:
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
}
A login controller: 登录控制器:
@Controller
public class LoginController {
@RequestMapping(value="/login", method=RequestMethod.GET)
public String loginPage(ModelMap map){
//prefix: /WEB-INF/view
//postfix .jsp
//prefix + view + postfix
// /WEB-INF/view/login.jsp
return "login";
}
This is the code in my application-config.xml 这是我的application-config.xml中的代码
<context:component-scan
base-package="com.springsecurityexample"/>
This is the code in my mvc-config.xml file: 这是我的mvc-config.xml文件中的代码:
<context:component-scan
base-package="com.springsecurityexample.web"/>
<mvc:annotation-driven />
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<!-- Example: a logical view name of 'showMessage' is mapped to '/WEB-INF/jsp/showMessage.jsp' -->
<property name="prefix" value="/WEB-INF/view/"/>
<property name="suffix" value=".jsp"/>
</bean>
and my web.xml file: 和我的web.xml文件:
<display-name>SpringSecurityTut1</display-name>
<!--
- Location of the XML file that defines the root application context.
- Applied by ContextLoaderListener.
-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring/application-config.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
- Servlet that dispatches request to registered handlers (Controller implementations).
-->
<servlet>
<servlet-name>dispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/mvc-config.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
2 个解决方案
解决方案1
0 2015-08-28 08:48:55
maybe you need <form:form></form:form> because 也许您需要<form:form></form:form>因为
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
is spring'tag 是春天的标签
解决方案2
0 已采纳 2015-08-28 14:19:21
It was a simple mistake that cost me a whole day. 这是一个简单的错误,使我花了一整天的时间。 I forgot the "$" in my value assignment in both the login and index page. 我在登录页面和索引页面的值分配中都忘记了“ $”。
I had value="{_csrf.token} instead of value="${_csrf.token} 我有value =“ {_ csrf.token}而不是value =” $ {_ csrf.token}
That was it. 就是这样 A missing dollar sign!! 缺少美元符号!! Thanks for all the input people. 感谢所有输入者。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.