具有CSRF保护的Java Jersey POST请求
[英]Java Jersey POST Request with CSRF Protection
问题描述
I have a spring boot REST Service which offers some methods. 
我有一个提供一些方法的spring boot REST服务。 They are protected by CSRF and Username / Password Basic Auth (https). 它们受CSRF和用户名/密码基本身份验证(https)的保护。
But when I try to do a POST Request it fails with Status Code 403 and Message "Could not verify the provided CSRF token because your session was not found" 但是,当我尝试执行POST请求时,它将失败,并显示状态代码403和消息“由于未找到您的会话,因此无法验证提供的CSRF令牌”
That's my client code: 那是我的客户代码:
ApiMessage msg = new ApiMessage("Client1", "Key1", "Value1");
// Set up Basic Authentication
HttpAuthenticationFeature feature = HttpAuthenticationFeature.basicBuilder()
.nonPreemptive()
.credentials(ApiUser, ApiUserPassword)
.build();
ClientConfig clientConfig = new ClientConfig();
clientConfig.register(feature);
Client client = ClientBuilder.newClient(clientConfig);
// Set up client and target (ApiHost = URI for the request Ressource)
WebTarget target = client.target(ApiHost);
WebTarget checkTarget = target.path("check");
Invocation.Builder invocationBuilder = checkTarget.request(MediaType.APPLICATION_JSON);
// Do a first request to get the CSRF Header
Response response = invocationBuilder.post(Entity.entity(msg, MediaType.APPLICATION_JSON));
if (response.getStatus() == 200) {
System.out.println("Without CSRF - everything worked. ");
} else if (response.getStatus() == 403) {
System.out.println("CSRF Protection: " + response.getStatus() + response.readEntity(String.class));
// Get CSRF Token out of the response
Map<String, NewCookie> cookies = response.getCookies();
String csrf = cookies.get("XSRF-TOKEN").getValue();
// Add the Token to the header and POST again
invocationBuilder.header("X-XSRF-TOKEN", csrf);
response = invocationBuilder.post(Entity.entity(msg, MediaType.APPLICATION_JSON));
if (response.getStatus() != 200) {
System.out.println("Error: " + response.getStatus() + response.readEntity(String.class));
} else {
System.out.println("With CSRF - everything worked. ");
}
} else {
System.out.println(response.getStatus() + " " + response.readEntity(String.class));
}
The first request ends with Status 403 and message "Could not verify the provided CSRF token because your session was not found". 第一个请求以状态403和消息“由于未找到您的会话而无法验证提供的CSRF令牌”结束。 After that I extract the CSRF Token successful out of the response header. 之后,我从响应头中提取成功的CSRF令牌。 But the second request with CSRF header fails with the same error. 但是带有CSRF标头的第二个请求失败,并出现相同的错误。
Doing the same in Postman works fine. 在邮递员中做同样的事情很好。
Any ideas where is my mistake and what I am doing wrong? 任何想法我的错误在哪里,我在做什么错?
1 个解决方案
解决方案1
0 2017-07-11 11:35:10
There's probably a session cookie you also need to send back, like JSESSIONID. 您可能还需要发送回一个会话Cookie,例如JSESSIONID。 Get that cookie. 获取该cookie。 From the NewCookie you create a Cookie and add it to the request 在NewCookie您创建一个Cookie并将其添加到请求中
NewCookie session = cookies.get("JSESSIONID");
Cookie cookie = session.toCookie();
invocationBuilder.cookie(cookie);
If it's not JSESSIONID, check all the cookies. 如果不是JSESSIONID,请检查所有cookie。 It might be something else. 可能还有别的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.