java AngularJS+Spring Security如何在POST请求中设置CSRF令牌?
在我的AngularJS authService中,我将向单独域上的服务器端点发送一个带有凭据和用户名的POST请求。 我有一个CORSFilter,它是可以的,因为当我在SecurityConfiguration类中禁用CSRF保护时,我可以成功地发布数据
我做错了什么?如何在POST请求中发送CSRF令牌
授权服务。登录(凭证)
response.login = function (credentials) {
return $http({
method: "POST",
dataType: "json",
url: baseUrl + "/authenticate",
withCredentials: true,
data: { username: credentials.username },
headers: {
'Authorization' : "Basic " + btoa(credentials.username + ":" + credentials.password),
'Content-Type': 'application/json'
}
});
};
CsrfHeaderFilter
public class CsrfHeaderFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie==null || token!=null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
}
安全配置。java
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService customUserDetailsService;
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/**")
.permitAll().anyRequest().authenticated()
.and().csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);
// .addFilterAfter(new CsrfHeaderFilter(), SessionManagementFilter.class);
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Override
protected UserDetailsService userDetailsService() {
return customUserDetailsService;
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
UserController
@RequestMapping(method = RequestMethod.POST, value = "/authenticate")
@PreAuthorize("hasRole('ROLE_USER')")
public @ResponseBody User login(@RequestParam String username) {
User user = repo.getUserWithUsername(username);
if (user == null) throw new NotFoundException();
return user;
}
# 1 楼答案
如果你有一些表格,试试这个。Spring会自动生成带有CSRF令牌的隐藏输入,您可以使用该令牌: