[英]_csrf token in 2 forms in the same JSP (CSRF protection)
我想保护我的应用程序免受跨站点请求伪造(CSRF)攻击,所以我将此添加到了
applicationContext.xml:
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:csrf/>
<security:intercept-url pattern="/**" access="permitAll" />
</security:http>
<security:authentication-manager/>
这到我的web.xml
<!-- spring security csrf -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>fr.telecom.support.context.DevicesSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这是我的过滤器
public class DevicesSecurityFilter extends DelegatingFilterProxy {
public DevicesSecurityFilter() {
// TODO Auto-generated constructor stub
}
public DevicesSecurityFilter(Filter delegate) {
super(delegate);
}
public DevicesSecurityFilter(String targetBeanName) {
super(targetBeanName);
}
public DevicesSecurityFilter(String targetBeanName,
WebApplicationContext wac) {
super(targetBeanName, wac);
}
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
HttpServletRequest httpServletRequest;
ThreadContext threadContext;
if (request instanceof HttpServletRequest) {
httpServletRequest = (HttpServletRequest) request;
threadContext = ThreadContext.getInstance();
try {
EcasUser ecasUser = (EcasUser) httpServletRequest.getUserPrincipal();
if (ecasUser != null) {
threadContext.setDomainUsername(ecasUser.getDomainUsername());
}
} catch (Exception e) {
e.printStackTrace();
}
threadContext.setUserID(httpServletRequest.getRemoteUser());
}
System.out.println ("filterChain -> " + filterChain );
if (filterChain != null) {
filterChain.doFilter(request, response);
}
}
有1种具有2种形式的JSP,如下所示:当我提交第一种形式时,一切都很好,但是当我提交第二种形式时,出现此错误:
此错误(禁止HTTP 403)表示Internet Explorer能够连接到该网站,但没有查看该网页的权限。 有关HTTP错误的更多信息,请参见“帮助”。
<form name="buttonpanelform1" action="products.do" method="POST">
<input type="hidden" name="_csrf" value="470bb7e4-1985-42c8-92fe-0b5edbfcd432"/>
<table align="center" border="0" cellpadding="10" cellspacing="0" width="100%">
<tbody>
<tr>
<td align="left">
<input type="submit" name="btn_addItem" value="btn_addItem">
</td>
<td align="right">
<input type="submit" name="btn_saveAndContinue" value="btn_saveAndContinue">
</td>
</tr>
</tbody>
</table>
</form>
<form name="addItemForm" class="special" action="products.do" method="POST" enctype="multipart/form-data" style="clear:both;">
<input type="hidden" name="_csrf" value="470bb7e4-1985-42c8-92fe-0b5edbfcd432"/>
<table align="center" border="0" cellpadding="10" cellspacing="0" width="100%">
<tbody>
<tr>
<td align="left"></td>
<td align="right">
<input type="submit" name="btn_saveItem" value="btn_saveItem">
</td>
</tr>
</tbody>
</table>
</form>
您的第二种形式为此使用了多部分编码,因此Spring Security过滤器无法提取发布的csrf令牌。 如果您的表单需要这种编码(正在上传文件),那么Spring安全性文档提供了2种可能的解决方案。
确保在请求到达Spring Security过滤器链之前已对多部分数据进行了解析,或者将csrf令牌作为请求参数发布在form action属性中。
有关更多信息,请参见: http : //docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-multipart
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.