堆棧內存溢出
  簡體   English   中英

如何使用自定義登錄頁面糾正Spring安全異常?

[英]How to rectify spring security exception with custom login page?

 原文  2016-09-16 07:05:58       java/ spring/ jsp/ spring-mvc/ spring-security

問題描述

我得到的解釋

HTTP狀態403-在請求參數'_csrf'或標頭'X-CSRF-TOKEN'上發現無效的CSRF令牌'null'。

我正在嘗試通過自定義登錄頁面實現Spring Security

spring-security.xml 

    <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<!-- <http>
<intercept-url pattern ="/welcome*" access="hasRole('ROLE_USER')"/>
<http-basic/>
</http> -->

<!-- <http>
<intercept-url pattern ="/welcome*" access="hasRole('ROLE_USER')"/>
<form-login/>
<logout logout-success-url="/home"/>
</http> -->
<http>
<intercept-url pattern ="/welcome*" access="hasRole('ROLE_USER')"/>
<form-login login-page="/login" default-target-url="/welcome" authentication-failure-url="/loginfailed"/>
<logout logout-success-url="/logout"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="rahul" password="123" authorities="ROLE_USER"/>
<user name="rohit" password="567" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

login.jsp 

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Login Page</title>
<!-- <style>
.errorblock
{
color : #f0000;
background-color : #ffEEEE;
border : 3px solid #ff0000;
padding : 8px;
margin : 16px;
}
</style> -->
</head>
<body onload='document.f.j_username.focus();' bgcolor="blue">
<h3>Login with Username andPassword (Custom page)</h3>

<%-- <c:if test="$SPRING_SECURITY_LAST_EXCEPTION !=null"}">
<div class="errorblock">
Your login atempt are not sucessfull,try again
 <br/>Caused : ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message }
 </div>
 </c:if> --%>
<%-- <form name='f' action="<c:url value='j_spring_security_logout'/>" method="POST">
 --%>
 <form name='f' action='/SpringSecurityApplication/login' method="POST">
<table>
<tr>
<td>User :</td><td><input type='text' name='username'></td>
</tr>

<tr>
<td>Password :</td><td><input type='password' name='password'></td>
</tr>
<tr><td colspan ='2'><input name="submit" type="submit" value="submit" ></td></tr>
<tr><td colspan ='2'><input name="reset" type="reset" ></td></tr>
</table>
</form>
</body>
</html>

LoginController.java 

package com.springtraining.security.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class LoginController {
    public LoginController() {
        System.out.println("LoginController constructor is called ");
    }

    @RequestMapping(value = "/welcome", method = RequestMethod.GET)
    public String printWelcome(ModelMap model, Principal principal) {
        System.out.println("**********Login Controller is Called********");

        String name = principal.getName();
        model.addAttribute("username", name);
        model.addAttribute("message", "Spring Security Custom Form Example");
        return "hello";
    }

    @RequestMapping(value = "/*", method = RequestMethod.GET)
    public String home(ModelMap model) {

        return "home";

    }

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String login(ModelMap model) {
        return "login";
    }

    @RequestMapping(value = "/logout", method = RequestMethod.GET)
    public String logout(ModelMap model) {
        return "login";
    }

    @RequestMapping(value = "/loginfailed", method = RequestMethod.GET)
    public String loginError(ModelMap model) {
        model.addAttribute("error","true");
        return "login";
    }

}

hello.jsp

我認為不需要home.jsp

1 個解決方案

解決方案1
 2 已采納  2016-09-16 07:20:16

您需要在登錄時提交crsf令牌(以及注銷和其他所有POST,PUT,DELETE請求)。

有一些服務器方式可以將其添加到您的jsp中:

  • 使用spring的jsp <form:form>標簽(而不是standart form標簽)或
  • 您需要通過spring安全標簽<sec:csrfInput />或以下方式顯式添加crsf令牌:
  • 通過“ standart jsp”:

“ standart jsp”示例: 

<input type="hidden"
  name="${_csrf.parameterName}"
  value="${_csrf.token}"/>

@see:Spring安全性參考第18.4.3包含CSRF令牌

順便說一句:我強烈建議閱讀完整的第18章。跨站點請求偽造(CSRF)

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 如何在spring security中運行自定義登錄頁面 如何使用 Spring Security 自定義登錄頁面? Spring 安全性 - 無法使用自定義登錄頁面登錄 如何在Spring Security中將未找到標頭重定向到登錄頁面 Spring Boot + Spring Security 的自定義登錄頁面 如何在沒有配置的情況下將spring boot security用於自定義登錄頁面? 如何為Spring Security設置自定義登錄處理頁面? 自定義登錄頁面的 403 錯誤 Spring 安全 Spring Security自定義登錄頁面不起作用 帶有自定義 AngularJS 登錄頁面的 Spring Boot 和安全性
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM