堆棧內存溢出
  簡體   English   中英

Android HttpUrlConnection無法發布-錯誤403

[英]Android HttpUrlConnection Cannot Post - Error 403

 原文  2015-08-19 10:46:53       android/ spring/ spring-security/ csrf

問題描述

我正在嘗試使用spring security csrf針對我的Web服務發出HttpPost。

首先,我試圖通過GET請求恢復XSRF令牌,像這樣 

public static CookieManager xcsrfToken() throws IOException{
    String token;
    URL url = new URL(urlBase);
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("GET");
    CookieManager cookieManager = new CookieManager();
    con.connect();

    List<String> cookieHeader = con.getHeaderFields().get("Set-Cookie");

    if (cookieHeader != null) {
        for (String cookie : cookieHeader) {
            cookieManager.getCookieStore().add(null, HttpCookie.parse(cookie).get(0));
        }
    }
    System.out.println(con.getHeaderFields());
    con.disconnect();

    return cookieManager;
}

這就是我從con.getHeaderFields()獲得的內容 

{null=[HTTP/1.1 200 OK], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Content-Language=[pt-BR], Content-Length=[973], Content-Type=[text/html;charset=ISO-8859-1], Date=[Wed, 19 Aug 2015 10:40:18 GMT], Expires=[0], Pragma=[no-cache], Server=[Apache-Coyote/1.1], Set-Cookie=[JSESSIONID=6C9326FBEEA14752068720006F2B5EAA; Path=/webapi/; HttpOnly, XSRF-TOKEN=07cbed7f-834e-4146-8537-0a6b5669f223; Path=/], X-Android-Received-Millis=[1439980819720], X-Android-Response-Source=[NETWORK 200], X-Android-Sent-Millis=[1439980819693], X-Content-Type-Options=[nosniff], X-Frame-Options=[DENY], X-XSS-Protection=[1; mode=block]}

XSRF-TOKEN在我的cookie中,好! 如果我打印,則使用System.out.println(cookieManager.getCookieStore()。getCookies()); 我懂了 

[JSESSIONID=5B1D3E2D3E7B3E1E6572A3839BFF3741, XSRF-TOKEN=4d4048bd-f21c-48c6-895e-5f67523ad963]

現在,我試圖像這樣對服務器發出POST 

public static HttpURLConnection makeRequest(String metodo, String uri, String requestBody) throws IOException{
    URL url = new URL(urlBase + uri);
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("POST");

    con.setDoInput(true);
    con.setDoOutput(!metodo.equals("GET"));
    con.setRequestProperty("Content-Type", "application/json");
    con.setRequestProperty("Cookie", TextUtils.join("," , xcsrfToken().getCookieStore().getCookies()));

    con.connect();

    InputStream is = con.getErrorStream();
    System.out.println(IOUtils.toString(is, "UTF-8"));

    System.out.println(con.getHeaderFields());

    return con;
}

但是標題沒有餅干就回來了 

 {null=[HTTP/1.1 403 Forbidden], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Content-Language=[en], Content-Length=[1149], Content-Type=[text/html;charset=utf-8], Date=[Wed, 19 Aug 2015 10:42:18 GMT], Expires=[0], Pragma=[no-cache], Server=[Apache-Coyote/1.1], X-Android-Received-Millis=[1439980939827], X-Android-Response-Source=[NETWORK 403], X-Android-Sent-Millis=[1439980939811], X-Content-Type-Options=[nosniff], X-Frame-Options=[DENY], X-XSS-Protection=[1; mode=block]}

它說沒有CSRF有效令牌 

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.

在我的Web服務中,由於angularJs,令牌已配置為重命名為XSRF-TOKEN。 

public static void getTokens() throws IOException{
    URL url = new URL(urlBase);
    HttpURLConnection con = (HttpURLConnection) url.openConnection();
    con.setRequestMethod("GET");
    con.connect();
    cookieManager = new CookieManager();

    List<String> cookieHeader = con.getHeaderFields().get("Set-Cookie");

    if (cookieHeader != null) {
        for (String cookie : cookieHeader) {
            String[] tokens = TextUtils.split(cookie, "=");
            if (tokens[0].equals("JSESSIONID"))
                cookieManager.getCookieStore().add(null, HttpCookie.parse(cookie).get(0));
            if (tokens[0].equals("XSRF-TOKEN")) {
                String[] tokenValue = TextUtils.split(tokens[1],";");
                xsrfTOKEN = tokenValue[0];
            }
        }
    }

    con.disconnect();
}

然后,將其附加到HttpUrlConnection 

con.setRequestProperty("X-XSRF-TOKEN", xsrfTOKEN);

1 個解決方案

解決方案1
 1 已采納  2015-08-19 13:26:54

以我的經驗,我們需要將令牌作為請求標頭提交。 Spring希望其名稱默認為X-CSRF-TOKEN 但是使用AngularJS的人通常在Spring Security配置中將其更改為X-XSRF-TOKEN

但是看看您的代碼,我不知道您是否正在發送該標頭。

如果有幫助,請參考我的一個項目(使用RestAssured ): 

if (xsrfToken != null && !ctx.getRequestMethod().equals(Method.GET))
    requestSpec.header("X-XSRF-TOKEN", xsrfToken);

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 在Android中使用HttpURLConnection會導致403錯誤 HttpUrlConnection 403-Android出現錯誤 Android 使用 HttpUrlConnection 向 django 服務器發送請求給出 403 HttpURLConnection在發布中出現Android Studio錯誤404 Android HttpURLConnection PUT到Amazon AWS S3 403錯誤 使用HttpURLConnection的Android發布請求錯誤 Android HttpURLConnection POST給出了HTTP錯誤411 HttpURLConnection發布Android httpurlconnection發布php android Android HttpUrlConnection:發布Multipart
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM