CRSF LazyCsrfTokenRepository如何工作?
[英]How does CRSF LazyCsrfTokenRepository work?
问题描述
Java 8 - spring 4.3.x 
Java 8-Spring 4.3.x
While configuring spring security and enable csrf feature i came across two implementations of CsrfTokenRepository one is Lazy another is Cokkie based 在配置spring安全性并启用csrf功能时,我遇到了CsrfTokenRepository两个实现,一个是惰性的,另一个是基于Cokkie的。
I know CookieCsrfTokenRepository works using writing a csrf token into cookie and accepts a cookie value in header to verify the valid request 我知道CookieCsrfTokenRepository工作方式是将csrf令牌写入cookie并接受标头中的cookie值以验证有效请求
Can some one help me to understand how does LazyCsrfTokenRepository works ? 有人可以帮助我了解LazyCsrfTokenRepository如何工作吗?
1 个解决方案
解决方案1
4 已采纳 2018-03-02 13:56:22
A
CsrfTokenRepositorythat delays saving newCsrfTokenuntil the attributes of theCsrfTokenthat were generated are accessed.CsrfTokenRepository,它将延迟保存新的CsrfToken直到访问生成的CsrfToken的属性为止。
So why this? 那为什么呢? In earlier versions of Spring Security the HttpSessionCsrfTokenRepository was default. 在Spring Security的早期版本中, HttpSessionCsrfTokenRepository是默认的。 The drawback with this was that it always creates a token, triggering session creation, regardless of whether the token was used or not, which could be wasteful in some applications. 这样做的缺点是,无论是否使用令牌,它总是创建令牌,触发会话创建,这在某些应用程序中可能是浪费的。
The LazyCsrfTokenRepository on the other hand only creates a wrapper, and creates the actual token only if getToken() is invoked (like when for example generating a form). 另一方面, LazyCsrfTokenRepository仅创建包装器,并且仅在调用getToken()时才创建实际令牌(例如,例如生成表单时)。 This avoids unnecessary session creation. 这样可以避免不必要的会话创建。
A gotcha with LazyCsrfTokenRepository is that the actual token generation must still happen before HTTP response is committed , otherwise you get an exception. 以A疑难杂症LazyCsrfTokenRepository是,仍然必须发生实际的令牌生成的HTTP响应被提交之前,否则,你会得到一个异常。 If you get problem with this, it is easiest to use (only) one of the other two implementations. 如果对此有疑问,最简单的方法是(仅)使用其他两种实现之一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.