JavaSpringSecurity拒绝登录csrf
我正在使用SpringBoot和SpringSecurity,并试图让我的登录名使用javascript。如果我使用登录,一切正常。html和一个表单。但一旦我使用javascript,我就会得到一个关于空csrf的错误。我在请求和响应中使用所有json。我相信这意味着除了登录之外,所有请求POST/PUT头都需要_csrf令牌
以下是我的配置:
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService customUserDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
http
.formLogin().failureUrl("/login?error")
.defaultSuccessUrl("/")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll();
http
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?expired")
.maxSessionsPreventsLogin(true)
.and()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.invalidSessionUrl("/");
http
.authorizeRequests().anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = new BCryptPasswordEncoder();
auth.userDetailsService( customUserDetailsService ).passwordEncoder( encoder );
}
}
以下是我提交登录请求的javascript:
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$("#login").click(function(){
username=$("#username").val();
password=$("#password").val();
$.ajax({
type: "POST",
url: "/login",
beforeSend: function(xhr){
xhr.setRequestHeader(header, token);
},
data: "username="+username+"&password="+password,
success: function(html){
alert("logged in");
}
});
return false;
});
下面是我得到的错误:
s.w.s.m.m.a.RequestMappingHandlerMapping : Returning handler method [public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)]
o.s.w.s.m.m.a.HttpEntityMethodProcessor : Written [{timestamp=Tue Oct 21 09:56:56 MDT 2014, status=403, error=Forbidden, message=Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'., path=/login}] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@731cc24a]
o.s.web.servlet.DispatcherServlet : Null ModelAndView returned to DispatcherServlet with name 'dispatcherServlet': assuming HandlerAdapter completed request handling
我在浏览器中收到的403响应是:
"Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'."
是不是因为我做错了什么,所以我的所有POST/PUTs请求都被拒绝了
更新: 多亏了这些优秀的建议,我在所有请求中添加了标题,这似乎让我克服了csrf问题,结果导致302重定向
我提出了另一个问题[spring boot / spring security is ignoring /login call from javascript,因为spring安全问题忽略了javascript
共 (0) 个答案