无法验证提供的 CSRF 令牌,因为未找到您的会话。</error_description><error> 访问被拒绝</error></oauth> *
[英]Could not verify the provided CSRF token because your session was not found.</error_description><error>access_denied</error></oauth>*
问题描述
I am developing Spring MVC + Spring Security OAuth2 example.
我正在开发Spring MVC + Spring Security OAuth2示例。
In this example I was using the在这个例子中,我使用了
- Spring Security version
<springsec.version>3.2.8.RELEASE</springsec.version>Spring 安全版本<springsec.version>3.2.8.RELEASE</springsec.version> - Spring MVC version
<spring.version>4.0.9.RELEASE</spring.version>Spring MVC 版本<spring.version>4.0.9.RELEASE</spring.version>
But my business client wants to update Spring and Security dependencies to their latest versions.但是我的业务客户想要将 Spring 和 Security 依赖项更新到他们的最新版本。 I changed我变了
Spring MVC to
<spring.version>4.3.1.RELEASE</spring.version>andSpring MVC 到<spring.version>4.3.1.RELEASE</spring.version>和Security to
<springsec.version>4.1.1.RELEASE</springsec.version>.<springsec.version>4.1.1.RELEASE</springsec.version>。
I was able to successfully deploy the application, however when I tried to get an access token using below CURL command I got the following error.我能够成功部署应用程序,但是当我尝试使用以下 CURL 命令获取访问令牌时,出现以下错误。 Why ?为什么?
C:\>curl -vvv -X POST "http://localhost:8080/demo.rest.springsecurity.oauth2.0.authentication/oauth/token?username=user1&password=user1&client_id=client1&client_secret=client1&grant_type=password&scope=read,write,trust"
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /demo.rest.springsecurity.oauth2.0.authentication/oauth/token?username=user1&password=user1&client_id=client1&client_secret=client1&grant_type=password&scope=read,write,trust HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.46.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=D3BE17423B26618D2931A9B317E422E1; Path=/demo.rest.springsecurity.oauth2.0.authentication/; HttpOnly
< Cache-Control: no-store
< Pragma: no-cache
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Wed, 17 Aug 2016 11:19:28 GMT
<
<oauth><error_description>Could not verify the provided CSRF token because your session was not found.</error_description><error>access_denied</error></oauth>* Connection #0 to host localhost left intact
C:\>
My pom.xml for reference:我的pom.xml供参考:
<properties>
<!-- General Properties -->
<java.version>1.8</java.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<!-- Spring Security -->
<!-- <springsec.version>3.2.8.RELEASE</springsec.version> -->
<springsec.version>4.1.1.RELEASE</springsec.version>
<!-- Spring MVC -->
<!-- <spring.version>4.0.9.RELEASE</spring.version> -->
<spring.version>4.3.1.RELEASE</spring.version>
<!-- Jersey Server -->
<jersey-version>1.19</jersey-version>
<!-- Spring Security OAuth2 -->
<spring-security-oauth2-version>2.0.10.RELEASE</spring-security-oauth2-version>
<logback.version>1.1.7</logback.version>
<jcl-over-slf4j.version>1.7.21</jcl-over-slf4j.version>
<!-- Servlet, JSP, CGLIB, JSTL -->
<servlet.version>3.1.0</servlet.version>
<jsp.version>2.2</jsp.version>
<cglib.version>2.2.2</cglib.version>
<jstl.version>1.2</jstl.version>
</properties>
<dependencies>
<!-- Spring Security OAuth2 -->
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>${spring-security-oauth2-version}</version>
</dependency>
<!-- Spring Web MVC -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring security core, web, config, aspects, taglibs -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${springsec.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${springsec.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>${springsec.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${springsec.version}</version>
</dependency>
<!-- JSTL -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>${jstl.version}</version>
</dependency>
<!-- Jersey Server -->
<dependency>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-server</artifactId>
<version>${jersey-version}</version>
</dependency>
<!-- Jersey Client -->
<dependency>
<groupId>com.sun.jersey.contribs</groupId>
<artifactId>jersey-apache-client</artifactId>
<version>${jersey-version}</version>
</dependency>
<!-- Spring Jersey -->
<dependency>
<groupId>com.sun.jersey.contribs</groupId>
<artifactId>jersey-spring</artifactId>
<version>${jersey-version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Jersey JSON -->
<dependency>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-json</artifactId>
<version>${jersey-version}</version>
</dependency>
<dependency>
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-client</artifactId>
<version>${jersey-version}</version>
</dependency>
<!-- Spring Core, Context, Support, beans, test, Web MVC -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${spring.version}</version>
<scope>test</scope>
</dependency>
<!-- logging, slf4j -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${jcl-over-slf4j.version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback.version}</version>
</dependency>
<!-- Cglib -->
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib</artifactId>
<version>${cglib.version}</version>
</dependency>
<!-- Servlet -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>${servlet.version}</version>
</dependency>
<!-- JSP API -->
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>${jsp.version}</version>
<scope>provided</scope>
</dependency>
spring-servlet.xml spring-servlet.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd ">
<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="authenticationManager"
xmlns="http://www.springframework.org/schema/security" >
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http pattern="/resources/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/resources/**" method="GET" />
<!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> -->
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http pattern="/logout" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/logout" method="GET" />
<sec:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<bean id="logoutSuccessHandler" class="demo.oauth2.authentication.security.LogoutImpl" >
<property name="tokenstore" ref="tokenStore"></property>
</bean>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="springsec/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</bean>
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="clientDetails" class="demo.oauth2.authentication.security.ClientDetailsServiceImpl"/>
<authentication-manager id="userAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customUserAuthenticationProvider">
</authentication-provider>
</authentication-manager>
<bean id="customUserAuthenticationProvider"
class="demo.oauth2.authentication.security.CustomUserAuthenticationProvider">
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:authorization-code />
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials />
<oauth:password authentication-manager-ref="userAuthenticationManager"/>
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="springsec" token-services-ref="tokenServices" />
<!-- <bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> -->
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="300000"></property>
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<mvc:annotation-driven /> <!-- Declares explicit support for annotation-driven MVC controllers @RequestMapping, @Controller -->
<mvc:default-servlet-handler />
<bean id="MyResource" class="demo.oauth2.authentication.resources.MyResource"></bean>
</beans>
1 个解决方案
解决方案1
0 已采纳 2016-08-17 12:13:06
I got the solution.我得到了解决方案。 In order to vanish the "Could not verify the provided CSRF token because your session was not found."为了消除"Could not verify the provided CSRF token because your session was not found." error we need to simply add <sec:csrf disabled="true" /> to all element to <http > tag like below.错误我们需要简单地将<sec:csrf disabled="true" />添加到<http > 标记的所有元素,如下所示。
<http pattern="/oauth/token" auto-config="true" create-session="stateless" authentication-manager-ref="authenticationManager"
xmlns="http://www.springframework.org/schema/security" >
<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- Added this to fix error -->
<sec:csrf disabled="true" />
</http>
<http pattern="/resources/**" auto-config="true" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/resources/**" method="GET" />
<!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_FULLY" /> -->
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- Added this to fix error -->
<sec:csrf disabled="true" />
</http>
<http pattern="/logout" create-session="never" auto-config="true"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/logout" method="GET" />
<sec:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- Added this to fix error -->
<sec:csrf disabled="true" />
</http>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
具有Security&REST端点的Spring MVC给出了403“由于未找到您的会话,因此无法验证提供的CSRF令牌” - Spring MVC with Security & REST endpoint gives a 403 “Could not verify the provided CSRF token because your session was not found”
Spring oauth2 中的 error="invalid_grant", error_description="Bad credentials" - error="invalid_grant", error_description="Bad credentials" in Spring oauth2
错误HTTP状态403-在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null' - Error HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
Spring OAuth2中无法解析名称为“ forward:/ oauth / confirm_access”的视图 - Could not resolve view with name 'forward:/oauth/confirm_access' error in Spring OAuth2
找不到HTTP状态404-页面。 SpringMVC错误 - HTTP status 404-Page not found. SpringMVC error
使用Spring和Jetty时出现错误“找不到服务。” - Error “No service was found.” while using Spring and Jetty
HTTP错误404。找不到请求的资源。 春季MVC - HTTP Error 404. The requested resource is not found. Spring MVC
上传时出现HTTP 403错误 - 无效的CSRF令牌'null' - HTTP 403 error while upload - Invalid CSRF Token 'null'
在请求访问令牌OAuth2 Spring实现时出现500 http错误 - Getting 500 http error on requesting access token OAuth2 Spring implementation
无法写入 JSON:无法初始化代理 - 没有会话错误 - Could not write JSON: could not initialize proxy - no Session error
相关标签