![](/img/trans.png)
[英]Spring boot - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
[英]Spring CSRF token null in Freemarker template
我正在Zuul后面运行Oauth2服务器。 Zuul将用户转发到登录页面。 Zuul还定义了以下HttpSecurity:
@Override
public void configure(HttpSecurity http) throws Exception {
...
.and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
Oauth2服务器上的登录Freemarker模板按如下方式解析CSRF令牌:
<from>
...
<input type="hidden" id="csrf_token" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
到这里为止,一切正常。 否,我提供了密码重置Freemarker模板的链接:
<a href="/uaa/reset"><@spring.message "login.forgot"/></a>
以及以下WebMvcConfigurerAdapter配置:
@Configuration
public class OAuthWebFormConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/reset").setViewName("reset");
}
导航到重置视图时,出现以下错误:
: Servlet.service() for servlet [dispatcherServlet] in context with path
[/uaa] threw exception [Request processing failed; nested exception is
freemarker.core.InvalidReferenceException: The following has evaluated to
null or missing:
==> _csrf [in template "reset.ftl" at line 21, column 64]
Tip: If the failing expression is known to legally refer to something
that's sometimes null or missing, either specify a default value like
myOptionalVar!myDefault, or use <#if myOptionalVar??>when-
present<#else>when-missing</#if>. (These only cover the last step of the
expression; to cover the whole expression, use parenthesis:
(myOptionalVar.foo)!myDefault, (myOptionalVar.foo)??
FTL stack trace ("~" means nesting-related):
- Failed at: ${_csrf.parameterName} [in template "reset.ftl" at line 21,
column 62]
----] with root cause
freemarker.core.InvalidReferenceException: The following has evaluated to
null or missing:
==> _csrf [in template "reset.ftl" at line 21, column 64]
Tip: If the failing expression is known to legally refer to something that's
sometimes null or missing, either specify a default value like
myOptionalVar!myDefault, or use <#if myOptionalVar??>when-
present<#else>when-
missing</#if>. (These only cover the last step of the expression; to cover
the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault,
(myOptionalVar.foo)??
FTL stack trace ("~" means nesting-related):
- Failed at: ${_csrf.parameterName} [in template "reset.ftl" at line 21,
column 62]
有什么帮助吗?
解决方法是将重置视图添加到antMatchers列表中,如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeRequests()
.antMatchers("/console/**", "/reset").permitAll()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.requestMatchers()
.antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access", "/reset")
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
// @formatter:on
}
这样,Springs CsrfFilter
就会加入,并添加CSRF令牌作为请求属性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.