【发布时间】:2015-10-16 07:49:49
【问题描述】:
我想从我的 angularJS 客户端上传文件。我启用了 CSRF 保护,它工作正常,除了当我尝试上传文件时,我得到一个 403 错误:
在请求参数“_csrf”上发现无效的 CSRF 令牌“null” 或标题“X-XSRF-TOKEN”。
但是令牌在请求标头中并且是正确的!当我禁用 CSRF 保护时,我可以毫无问题地上传文件。
除此之外,CSRF 保护工作正常。
这是我目前的配置:
SecurityConfiguration.java
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private SecurityUserDetailsService securityUserDetailsService;
@Autowired
private AuthFailureHandler authFailureHandler;
@Autowired
private AjaxAuthSuccessHandler ajaxAuthSuccessHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(authFailureHandler)
.and()
.authorizeRequests()
.antMatchers(
"/",
"/index.html",
"/styles/**",
"/bower_components/**",
"/scripts/**"
).permitAll().anyRequest()
.authenticated()
.and().formLogin().loginPage("/login").permitAll()
.and().logout().logoutUrl("/logout").logoutSuccessHandler(ajaxAuthSuccessHandler).permitAll()
.and().httpBasic()
.and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
.csrf().csrfTokenRepository(csrfTokenRepository());
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(securityUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
}
}
CsrfHeaderFilter.java
public class CsrfHeaderFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
}
最后我添加了一个 SecurityWebApplicationInitializer,正如 here 所指出的那样。
SecurityWebApplicationInitializer.java
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
@Override
protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
insertFilters(servletContext, new MultipartFilter());
}
}
我做错了什么?
更新:我添加了这个配置,但我仍然得到 403。
@Configuration
public class MultipartUploadConfig {
@Bean(name = "filterMultipartResolver")
public MultipartResolver multipartResolver() {
return new CommonsMultipartResolver();
}
}
【问题讨论】:
-
@smoggers 我试过了,但对我不起作用。
-
@inanutshellus 没有。我暂时放弃并禁用了CSRF...
-
@ChristosBaziotis:我找到了一个解决方案(我已经用 Spring Boot 对其进行了测试)并将这个问题标记为 stackoverflow.com/questions/21514074/… 的副本
标签: java spring spring-security multipart