Spring 启动 -- 使用 CSRF 令牌发布请求产生 403 错误
[英]Spring Boot -- Post request with CSRF token produce 403 error
问题描述
I'm trying to implement CSRF token security in my Spring Boot API to learn how to deal with that.
我正在尝试在我的 Spring 引导 API 中实现 CSRF 令牌安全性以了解如何处理它。
I've followed this tutorial (server side part) and this is my security config:我遵循了本教程(服务器端部分) ,这是我的安全配置:
private static final String[] CSRF_IGNORE = {"/api/login"};
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.ignoringAntMatchers(CSRF_IGNORE)
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new CustomCsrfFilter(), CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint() {
})
.and()
.authenticationProvider(getProvider())
.formLogin()
.loginProcessingUrl("/api/login")
.successHandler(new AuthentificationLoginSuccessHandler())
.failureHandler(new SimpleUrlAuthenticationFailureHandler())
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(new AuthentificationLogoutSuccessHandler())
.invalidateHttpSession(true)
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
Others things are the same as in the tutorial.其他内容与教程中的相同。
I'm testing with Postman.我正在使用 Postman 进行测试。
When i add the endpoint i want in CSRF_IGNORE , i can see with logger/debug that token stocked, and token from cookie are the same, because the security config's part CustomCsrfFilter.java in .addFilterAfter() is used, but when i remove the endpoint from this CSRF_IGNORE, what i get is a 403, and, logger/debug in the CustomCsrfFilter.java isn't used, so i'm thinking that tokens aren't compared.当我在CSRF_IGNORE添加我想要的端点时,我可以通过 logger/debug 看到存储的令牌,并且来自 cookie 的令牌是相同的,因为使用了.addFilterAfter()中的安全配置部分CustomCsrfFilter.java ,但是当我删除来自这个 CSRF_IGNORE 的端点,我得到的是 403,并且没有使用CustomCsrfFilter.java中的记录器/调试,所以我认为没有比较令牌。
I think I missed something and I would like to understand.我想我错过了一些东西,我想理解。
1 个解决方案
解决方案1
2 已采纳 2020-04-21 02:43:05
If you want to use CSRF with a http only false cookie, why not use Spring Security's built in CookieCsrfTokenRepository ?如果您想将 CSRF 与 http 仅使用错误 cookie 一起使用,为什么不使用 Spring Security 内置的CookieCsrfTokenRepository呢? Should simplify your config that way.应该以这种方式简化您的配置。 CustomCsrfFilter seems to be adding a XSRF-TOKEN cookie to the HttpServletResponse , which CookieCsrfTokenRepository does for you . CustomCsrfFilter似乎正在将XSRF-TOKEN cookie 添加到HttpServletResponse , CookieCsrfTokenRepository 会为您执行此操作。
The default CSRF cookie name when using CookieCsrfTokenRepository is X-CSRF-TOKEN , which is conveniently the default name Angular's HttpClientXsrfModule uses.使用CookieCsrfTokenRepository时的默认 CSRF cookie 名称是X-CSRF-TOKEN ,这是 Angular 的HttpClientXsrfModule使用的默认名称。 Of course you can customize that if you need.当然,如果您需要,您可以自定义它。
So your security config becomes:所以你的安全配置变成:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint())
.and()
.authenticationProvider(getProvider())
.formLogin()
.loginProcessingUrl("/api/login")
.successHandler(new AuthentificationLoginSuccessHandler())
.failureHandler(new SimpleUrlAuthenticationFailureHandler())
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(new AuthentificationLogoutSuccessHandler())
.invalidateHttpSession(true)
.and()
.authorizeRequests()
.anyRequest().authenticated();
}
And with Angular, your app module has HttpClientXsrfModule as并且使用 Angular,您的应用程序模块具有HttpClientXsrfModule作为
@NgModule({
declarations: [
AppComponent
],
imports: [
BrowserModule,
HttpClientModule,
HttpClientXsrfModule
],
providers: [],
bootstrap: [AppComponent]
})
export class AppModule { }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.