Spring Security 中每个请求的 CSRF 令牌
[英]CSRF token per request in spring security
问题描述
How to implement csrf per request in spring security 3.2.Currently it is handled per session .This is a must requirement
如何在spring security 3.2中按请求实现csrf。目前它是按会话处理的。这是必须的要求
Please post the changes that needs to be performed.请发布需要执行的更改。
in securitycontext.xml在 securitycontext.xml 中
<http>
<csrf />
</http>
is given and application is working with token per session给出并且应用程序正在使用每个会话的令牌
2 个解决方案
解决方案1
1 已采纳 2017-02-10 22:51:05
You can change the default implementation of CsrfTokenRepository by providing your own implementation of this interface and configure it like:您可以通过提供您自己的此接口实现来更改CsrfTokenRepository的默认实现,并将其配置为:
<http>
<csrf token-repository-ref="myRequestCsrfTokenRepository"/>
</http>
<b:bean id="myRequestCsrfTokenRepository"
class="com.company.security.RequestCsrfTokenRepository"/>
But... although you wrote that this is a must requirement, you should really rethink it again.但是...虽然您写道这是必须的要求,但您真的应该重新考虑一下。 I would even advice to try convincing the other end that this change could bring more security to the app users but can also bring a lot of inconveniences, sometimes strange behaviors and in general decrease the usability and user experience.我什至建议尝试说服另一端,此更改可以为应用程序用户带来更多安全性,但也会带来很多不便,有时会出现奇怪的行为,并且通常会降低可用性和用户体验。 Eg see Different csrf token per request in Spring security例如, 在 Spring security 中查看每个请求的不同 csrf 令牌
解决方案2
0 2020-08-27 08:23:51
I have implemented a custom csrf token repository which generates a new token for every http POST/DELETE req.我已经实现了一个自定义 csrf 令牌存储库,它为每个 http POST/DELETE 请求生成一个新令牌。 I don't think token should be renewed for http GET, and if you look into source code of spring CsrfFilter class, it has a inner class DefaultRequiresCsrfFilter, which pass token checking for GET method.我不认为应该为http GET 更新令牌,如果你查看spring CsrfFilter 类的源代码,它有一个内部类DefaultRequiresCsrfFilter,它通过GET 方法的令牌检查。
The custom csrf token repository needs to implement interface CsrfTokenRepository.自定义 csrf 令牌存储库需要实现接口 CsrfTokenRepository。 Actually I have reuse most of code of HttpSessionCsrfTokenRepository, which is spring default.实际上我已经重用了 HttpSessionCsrfTokenRepository 的大部分代码,这是 spring 默认的。 The function that needs custom implementation is loadToken()需要自定义实现的函数是loadToken()
/*Customized loading token function, which invalidate the CSRF token once it is consumed. A new token is generated on next http req.*/
public CsrfToken loadToken(HttpServletRequest request) {
HttpSession session = request.getSession(false);
CsrfToken token = session == null ? null : (CsrfToken)session.getAttribute(this.sessionAttributeName);
if (/*HERE http request can be checked to see if it is a POST/DELETE */) {
if (session != null) {
//Remove the old token from session, and new token will be generated for next req
session.removeAttribute(DEFAULT_CSRF_TOKEN_ATTR_NAME);
}
}
return token;
}
And to get custom csrf token repository loaded, it needs to be configured in security.xml, as described in answers above.并且要加载自定义 csrf 令牌存储库,需要在 security.xml 中对其进行配置,如上述答案中所述。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.