[英]How to find CSRF token is working or not
I am Using springs-security.xml
inOrder to configure csrf token. 我正在使用springs-security.xml
inOrder配置csrf令牌。 The csrf token is by defualt enabled. 通过默认启用csrf令牌。 Even though I manually enabled csrf token in configuration file.This is my configuration file. 即使我在配置文件中手动启用了csrf令牌,这也是我的配置文件。
springs-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:http auto-config="true">
<security:access-denied-handler error-page="/denied"/>
<security:form-login login-page="/login"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login?failed=true"
default-target-url="/Hello" always-use-default-target="true"/>
<!-- <security:custom-filter ref="secfilter" before="FILTER_SECURITY_INTERCEPTOR" /> -->
<security:logout invalidate-session="false" logout-url="/j_spring_security_logout" logout-success-url="/logout"/>
<security:csrf />
<security:headers>
<security:frame-options disabled="true"/>
</security:headers>
</security:http>
Jsp
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<input type="hidden" id="parameterName" value="${_csrf.parameterName}" />
<input type="hidden" id="token" value="${_csrf.token}" />
Those are my configuration files. 这些是我的配置文件。
I am using Ajax call to communicate with server side. 我正在使用Ajax调用与服务器端进行通信。
return $http({
url: 'getCity?' + angular.element('#parameterName').val() + '=' + angular.element('#token').val(),
method: "POST"
})
Here I want to test whether csrf is working or not.How can I test. 在这里我想测试csrf是否正常工作,如何测试。
A couple of ways you can test it: 您可以通过以下两种方法进行测试:
input
element for the CSRF token and edit the token value. 在浏览器中打开开发人员工具,找到CSRF令牌的input
元素,然后编辑令牌值。 Trigger a POST submission. 触发POST提交。 This should cause an error, HTTP status 403 typically. 这将导致错误,通常为HTTP状态403。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.