HTTP状态403 - 未找到预期的CSRF令牌。 你的会话已经过期了吗?
[英]HTTP Status 403 - Expected CSRF token not found. Has your session expired?
问题描述
我正在使用spring security 4.0.1。 我一登录,就会显示我的仪表板。 当我点击某些内容时,它会给我以下错误页面:
HTTP状态403 - 未找到预期的CSRF令牌。 你的会话已经过期了吗?
我已经对它进行了一些研究,它说我需要添加这个http.csrf()。disable()。 我无法添加它,因为它告诉我该方法并且未定义类型httpsecurity。
请在下面找到配置代码:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("userDetailsServiceImpl")
UserDetailsService userDetailsService;
@Autowired
SuccessHandler successHandler;
@Autowired
FailureHandler failureHandler;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
ShaPasswordEncoder encoder = new ShaPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username")
.passwordParameter("password")
.and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
}
}
Login.xhtml
<!DOCTYPE html>
<f:view>
<h:head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
</script><script src="js/jquery-1.js"></script>
<script src="js/adpacks-demo.js" type="text/javascript"></script>
<script src="js/bsa.js" type="text/javascript"></script>
</h:head>
<h:body>
<form id="login" action='#{request.contextPath}/login' method='POST'>
<h1>Log In</h1>
<fieldset id="inputs">
<input id="username" type="text" name="username" placeholder="Username" />
<input id="password" type="password" name="password" placeholder="Password" />
</fieldset>
<fieldset id="actions">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input id="submit" value="Log in" type="submit" /><a href="">Forgot your password?</a>
</fieldset>
</form>
</h:body>
MyConfiguration.java
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.car")
public class MyConfiguration extends WebMvcConfigurerAdapter {
@Bean(name="HelloWorld")
public ViewResolver viewResolver() {
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/web-inf");
viewResolver.setSuffix(".xhtml");
return viewResolver;
}
/*
* Configure ResourceHandlers to serve static resources like CSS/ Javascript etc...
*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/webapp/**").addResourceLocations("/webapp/");
}
}
SecurityWebApplicationInitializer.java
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
}
AppConfig.java
@Configuration
public class AppConfig {
@Bean
public SuccessHandler successHandler() {
return new SuccessHandler();
}
@Bean
public FailureHandler failureHandler() {
return new FailureHandler();
}
}
在web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name>
<param-value>false</param-value>
</context-param>
<welcome-file-list>
<welcome-file>login.xhtml</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>com.sun.el.ExpressionFactoryImpl</param-value>
</context-param>
<servlet>
<description>generated-servlet</description>
<servlet-name>CAR Servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:CAR-web-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<description>
generated-spring-security-session-integration-filter
</description>
<filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
<filter-class>
org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class>
</filter>
<filter>
<description>generated-persistence-filter</description>
<filter-name>CARFilter</filter-name>
<filter-class>
org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
<init-param>
<param-name>entityManagerFactoryBeanName</param-name>
<param-value>CAR</param-value>
</init-param>
</filter>
<filter>
<description>generated-sitemesh-filter</description>
<filter-name>Sitemesh Filter</filter-name>
<filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HRBFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Sitemesh Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<persistence-unit-ref>
<persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name>
<persistence-unit-name>CAR</persistence-unit-name>
</persistence-unit-ref>
<persistence-context-ref>
<persistence-context-ref-name>persistence/CAR</persistence-context-ref-name>
<persistence-unit-name>CAR</persistence-unit-name>
</persistence-context-ref>
</web-app>
的pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<properties>
<spring.version>4.0.2.RELEASE</spring.version>
<spring.security.version>3.2.5.RELEASE</spring.security.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.7.RELEASE</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-instrument</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-instrument-tomcat</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jms</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-oxm</artifactId>
<version>${spring.version}</version>
<exclusions>
<exclusion>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc-portlet</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-struts</artifactId>
<version>3.1.1.RELEASE</version>
<exclusions>
<exclusion>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
</exclusion>
<exclusion>
<groupId>oro</groupId>
<artifactId>oro</artifactId>
</exclusion>
<exclusion>
<groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency> <!-- Usata da Hibernate 4 per LocalSessionFactoryBean -->
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.9</version>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
<version>2.2</version>
</dependency>
<dependency>
<groupId>commons-pool</groupId>
<artifactId>commons-pool</artifactId>
<version>1.5.3</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2</version>
</dependency>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.1</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>${spring.security.version}</version>
<exclusions>
<exclusion>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-remoting</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
</dependency>
</project>
2 个解决方案
解决方案1
4 已采纳 2015-12-15 18:39:22
http.csrf().disable(); 应该在您的类中添加public class SecurityConfiguration extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username")
.passwordParameter("password")
.and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
http.csrf().disable();
}
}
spring security 4.0.1支持http.csrf().disable() (我已经看过3.2.3 doc了,它已经有了HttpSecurity类 )
我认为您的配置设置有问题。
请发布所有相关代码。 例如,Gradle的build.gradle或Maven的pom.xml,web.xml,所有弹簧配置代码等
解决方案2
1 2015-12-15 17:40:41
我假设你的配置实现了WebSecurityConfigurer(例如通过扩展WebSecurityConfigurerAdapter )。 如果是这样,你可以设置http.csrf().disable(); 在覆盖的配置方法中。 仔细检查您的依赖项,或向我们展示完整的配置代码。
话虽这么说,我建议你不要禁用它,而是实现正确的用法。 查看spring安全性参考文档如何使用CSRF令牌。
本教程也可能有一些用处。
更新(针对您更新的问题):
您让MyConfiguration类扩展了WebMvcConfigurerAdapter (用于MVC)。
你是100%肯定这不起作用吗? 因为它适合我。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and()
.formLogin()
.loginProcessingUrl("/login")
.loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username").passwordParameter("password")
.and().sessionManagement().maximumSessions(2)
.maxSessionsPreventsLogin(true);
}
您必须添加另一个扩展WebSecurityConfigurerAdapter配置类(用于Spring Security)。 在该配置中,您可以覆盖SecurityConfigurer #configure(...)方法。
HTTP状态403 - 在请求参数上找到无效的CSRF令牌“null”
[英]HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter
错误HTTP状态403-在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null'
[英]Error HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
MissingCsrfTokenException:无法验证提供的 CSRF 令牌,因为找不到您的 session
[英]MissingCsrfTokenException: Could not verify the provided CSRF token because your session was not found
HTTP状态403 - 在请求参数'_csrf'或标题'X-CSRF-TOKEN'上找到无效的CSRF令牌'9ee6949c-c5dc-4d4b-9d55-46b75abc2994'
[英]HTTP Status 403 - Invalid CSRF Token '9ee6949c-c5dc-4d4b-9d55-46b75abc2994' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
无法验证提供的CSRF令牌,因为在spring security中找不到您的会话
[英]Could not verify the provided CSRF token because your session was not found in spring security
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
未找到预期的CSRF令牌。您的会话是否已过期403
找不到预期的CSRF令牌。 您的会话是否已过期?
HTTP状态403-找不到预期的CSRF令牌
HTTP状态403 - 在请求参数上找到无效的CSRF令牌“null”
错误HTTP状态403-在请求参数'_csrf'或标头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null'
找不到AngularJS HTTP POST预期的CSRF令牌
MissingCsrfTokenException:无法验证提供的 CSRF 令牌,因为找不到您的 session
HTTP状态403 - 在请求参数'_csrf'或标题'X-CSRF-TOKEN'上找到无效的CSRF令牌'9ee6949c-c5dc-4d4b-9d55-46b75abc2994'
Spring CSRF 403会话过期Internet Explorer 9-11
无法验证提供的CSRF令牌,因为在spring security中找不到您的会话
相关标签