在Spring Security中启用CSRF时，访问被拒绝403

Question

在我的Spring应用程序的spring安全配置文件中，启用csrf时(<security:csrf/>)

并尝试提交登录表单，然后出现拒绝访问页面403（或）

(Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.)异常（当不存在访问拒绝处理程序时）

“但是，如果我没有在spring安全配置文件中启用CSRF，那么一切都会正常运行。”

这是我启用CSRF时的代码

pom.xml（所有版本）

<properties>
    <spring.version>3.2.8.RELEASE</spring.version>
    <spring.security.version>3.2.3.RELEASE</spring.security.version>
    <jstl.version>1.2</jstl.version>
    <mysql.connector.version>5.1.30</mysql.connector.version>
</properties>

spring-security.xml

    <security:http auto-config="true" use-expressions="true">

    <security:intercept-url pattern="/login" access="permitAll"/>
    <security:intercept-url pattern="/**" access="isAuthenticated()"/>

    <!-- access denied page -->
    <security:access-denied-handler error-page="/403"/>

    <security:form-login
        login-page="/login" default-target-url="/loginSuccess" authentication-failure-url="/loginError?error"/>

    <!-- enable csrf protection-->  
    <security:csrf/>    
</security:http>

<!-- Select users and user_roles from database -->
<security:authentication-manager>
    <security:authentication-provider>
        <!--<security:jdbc-user-service data-source-ref="dataSource" 
                    users-by-username-query="select username,password, enabled from registration where username=?"
                    authorities-by-username-query="select username, role from registration where username=?"/> -->
        <security:user-service>
            <security:user name="test" password="test" authorities="ROLE_USER" />
            <security:user name="test1" password="test1" authorities="ROLE_ADMIN" />
        </security:user-service>            
    </security:authentication-provider>
</security:authentication-manager>

控制者

    @Controller
public class MainController {

    @RequestMapping(value={"/login"})
    public ModelAndView loginPage(){

        ModelAndView model = new ModelAndView("login");
        return model;
    }

    @RequestMapping(value={"/loginSuccess"},method=RequestMethod.POST)
    public ModelAndView loginSuccess(Principal principal,HttpServletRequest request,HttpSession session){

        ModelAndView model = new ModelAndView("success");

        //Testing.......
        String name = principal.getName();
        model.addObject("username", name);

        session = request.getSession();
        session.setAttribute("USER", "system");

        return model;
    }

login.jsp

    <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ page language="java" import="java.util.*" pageEncoding="ISO-8859-1"%>
<%@page session="true"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <base href="<%=basePath%>">

    <title>login Page</title>

    <!-- <meta http-equiv="pragma" content="no-cache">
    <meta http-equiv="cache-control" content="no-cache">
    <meta http-equiv="expires" content="0">    
    <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
    <meta http-equiv="description" content="This is my page">

    <link rel="stylesheet" type="text/css" href="styles.css">
    -->

  </head>

  <body onload='document.loginForm.username.focus();'>

        <h1>Spring Security Login Form (Database Authentication)</h1>

    <div>   
        <h3>Login with Username and Password</h3>

        <c:if test="${not empty error}">
            <div>${error}</div>
        </c:if>

        <form name="loginForm" action="j_spring_security_check" method="post">

            <table>
                <tr>
                    <td>Username</td>
                    <td><input type="text" name=j_username></td>
                </tr>
                <tr>
                    <td>Password</td>
                    <td><input type="password" name=j_password></td>
                </tr>
                <tr>
                    <td colspan='2'><input name="submit" type="submit"
                        value="submit" /></td>
                </tr>

            </table>
                <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
        </form>
    </div>  
  </body>
</html>

403.jsp

    <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
    <h1>HTTP Status 403 - Access is denied</h1>

    <c:choose>
        <c:when test="${empty username}">
            <h2>You do not have permission to access this page!</h2>
        </c:when>
        <c:otherwise>
            <h2>Username : ${username} <br/>You do not have permission to access this page!</h2>
        </c:otherwise>
    </c:choose>

</body>
</html>

输出：

    HTTP Status 403 - Access is denied

Username : ${username} 
You do not have permission to access this page!

请帮忙。

解

控制器：

@RequestMapping(value={"/","/loginSuccess"},method=RequestMethod.GET)
public ModelAndView loginSuccess()

web.xml

    <welcome-file-list>
      <welcome-file>login.jsp</welcome-file>
    </welcome-file-list>

由于默认页面

Answer 1

提交表单后，我认为您正在执行ajax请求。 在这种情况下，您必须在标头中传递csrf令牌。

就像是，

var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
var headers ={};
headers[header]=token;
var headerObj = {};
headerObj['headers']=headers;
$http.post("http://xyz",request,headerObj);

为了仅对特定网址启用csrf，您可以执行以下操作

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().requireCsrfProtectionMatcher(new RequestMatcher() {

            @Override
            public boolean matches(HttpServletRequest request) {
                return request.getServletPath().contains("/xyz");
            }
        });
    }
}