堆栈内存溢出
  繁体   English   中英

Azure Spring 云中的 AD 身份验证导致“发现无效的 CSRF 令牌”

[英]AD Authentication in Azure Spring Cloud causes 'Invalid CSRF token found'

 原文  2022-08-01 08:59:04       java/ spring-security/ spring-security-oauth2/ azure-spring-cloud

问题描述

使用 Azure Spring Cloud 的 AD 身份验证导致“发现无效的 CSRF 令牌”事件。

我使用 Azure Spring Cloud 进行 AD 身份验证,在 AD 身份验证后,重定向 URL 到我的 web 应用程序的主页 URL (https://${baseURL}/test) 成功。

但是,当我尝试使用主页上的链接按钮将 go 链接到 (https://${baseURL}/test/downlonad) 时,出现以下错误。

DEBUG                                   Securing GET /test
DEBUG                                   Set SecurityContextHolder to empty SecurityContext
DEBUG                                   Set SecurityContextHolder to anonymous SecurityContext
DEBUG                                   Failed to authorize filter invocation [GET /test] with attributes [authenticated]
WARN                                    Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [549] millisecond
DEBUG                                   Saved request https://${baseUrl}/test to session
DEBUG                                   Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, e
DEBUG                                   Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryP
DEBUG                                   Redirecting to https://${baseUrl}/oauth2/authorization/azure
DEBUG                                   Did not store empty SecurityContext
DEBUG                                   Did not store empty SecurityContext
DEBUG                                   Cleared SecurityContextHolder to complete request
DEBUG                                   Securing GET /oauth2/authorization/azure
DEBUG                                   Set SecurityContextHolder to empty SecurityContext
DEBUG                                   Redirecting to https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/a
DEBUG                                   Did not store empty SecurityContext
DEBUG                                   Did not store empty SecurityContext
DEBUG                                   Cleared SecurityContextHolder to complete request
DEBUG                                   Securing GET /login/oauth2/code/azure?code=0.AXIAEto0y5gc-UmBsmgUVuIyUXDot_lt5nVOhl64iHht309yAFI.Ag
DEBUG                                   Set SecurityContextHolder to empty SecurityContext
DEBUG                                   HTTP POST https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/token
DEBUG                                   Accept=[application/json, application/*+json]
DEBUG                                   Writing [{grant_type=[authorization_code], code=[0.AXIAEto0y5gc-UmBsmgUVuIyUXDot_lt5nVOhl64iHht309y
DEBUG                                   Response 200 OK
DEBUG                                   Reading to [org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] as "applic
DEBUG                                   HTTP GET https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/discovery/v2.0/keys
DEBUG                                   Accept=[text/plain, application/xml, text/xml, application/json, application/*+xml, application/*+j2022-08-01 07:48:37     DEBUG                                   Response 200 OK
DEBUG                                   Reading to [java.lang.String] as "application/json;charset=utf-8"
DEBUG                                   Changed session id from 77C315072FEAE1AFDD26128B3689CAD1
DEBUG                                   Set SecurityContextHolder to OAuth2AuthenticationToken [Principal=Name: [user], Granted Authorit2022-08-01 07:48:38     DEBUG                                   Redirecting to https://${baseUrl}/test
DEBUG                                   Stored SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [user], Gr
DEBUG                                   Stored SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [user], Gr
DEBUG                                   Cleared SecurityContextHolder to complete request
DEBUG                                   Securing GET /test
DEBUG                                   Retrieved SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [user],
DEBUG                                   Set SecurityContextHolder to SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Princip
DEBUG                                   Loaded matching saved request https://${baseUrl}/test
DEBUG                                   Authorized filter invocation [GET /test] with attributes [authenticated]
DEBUG                                   Secured GET /test
DEBUG                                   GET "/test", parameters={}
DEBUG                                   Mapped to Contoller#download


DEBUG Securing POST /test/download
DEBUG Retrieved SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [USER001],
DEBUG Set SecurityContextHolder to SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal
DEBUG Invalid CSRF token found for https://${baseURL}/test/download
DEBUG Responding with 403 status code

能否请您告知上述情况的原因?

  • 主页 html

<!doctype html>
<head>
  <meta charset="utf-8" />
  <meta http-equiv="X-UA-Compatible" content="IE=edge" />
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <title>test</title>
  <script type="text/javascript" th:src="@{/js/bootstrap.min.js}"></script>
  <script type="text/javascript" th:src="@{/js/jquery-3.6.0.min.js}"></script>
  <link rel="icon" th:href="@{/images/favicon.ico}">
</head>

<body>
  <div class="header_area">
    <img class="logo no_pointer" th:src="@{/images/logo.png}">
    <p th:text="${title}" class="mongon no_pointer"></p>
  </div>
        <div class="output_btn mt-4">
        <form method="post" th:action="@{/test/download}" id="test001" class="col-sm-7">
          <button type="button" class="btn btn-secondary button" id="test">link</button>
        </form>
        </div>
  <script type="text/javascript" th:src="@{/js/test.js}"></script>
</body>

</html>
  • Controller
@RestController
public class HomeController {

    @GetMapping("/test/download")
    public String download(HttpServletRequest request) {
        String message = "test";
        return message;
    }
}


spring:
  cloud:
    azure:
      active-directory:
        enabled: true
        profile:
          tenant-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
        credential:
          client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
          client-secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
        redirect-uri-template: https://${baseURL}/login/oauth2/code/azure

1 个解决方案

解决方案1
 0  2023-01-03 07:43:41

根据Secure REST API using Spring Security 5 and Azure Active Directory中的示例,它提到在 Controller 代码中使用 @PreAuthorize Annotation。

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.security.access.prepost.PreAuthorize;

@RestController
public class HelloController {
     @GetMapping("Admin")
     @ResponseBody
     @PreAuthorize("hasAuthority('APPROLE_Admin')")
     public String Admin() {
         return "Admin message";
     }
}

有关此注释的更多详细信息,请查看

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 发现无效的 CSRF 令牌 - Spring 引导和 Axios Spring 安全 csrf 已禁用,仍然找到无效的 CSRF 令牌 春季启动-在请求参数&#39;_csrf&#39;或标头&#39;X-CSRF-TOKEN&#39;上发现无效的CSRF令牌&#39;null&#39; 春季 Azure AD 身份验证 带有Azure AD身份验证的Spring Boot 在 Spring 安全性中会话超时时,处理请求中发现的无效 CSRF 令牌的最佳方法是什么 找不到预期的CSRF令牌Spring Security 使用 spring 安全性验证 Azure AD 访问令牌 HTTP状态403 - 在请求参数上找到无效的CSRF令牌“null” 尝试上传时无效的CSRF令牌Spring 4 MVC
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM