Spring Security XML 错误 - cvc-complex-type.2.4.a：发现以元素“csrf”开头的无效内容

Question

我在我的 Web 应用程序项目中使用 Spring Security。我想在我的 Spring 应用程序中启用 csrf 保护。 我的 application-context-security.xml 如下

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                         http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security
                         http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security secured-annotations="enabled"/> 

    <http disable-url-rewriting="true" auto-config="false" access-decision-manager-ref="accessDecisionManager" entry-point-ref="authenticationEntryPoint">
        <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"/>
        <intercept-url pattern="/j_spring_security_check" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/j_spring_security_logout" access="IS_AUTHENTICATED_ANONYMOUSLY, IS_AUTHENTICATED_FULLY, IS_AUTHENTICATED_REMEMBERED"/>
<!-- Enable CSRF protection -->
        <csrf />
    <access-denied-handler ref="accessDeniedHandler"/>         
    </http>
<!-- Remaining information -->
</beans:beans>

我正在为我的项目使用 Spring 3.0.5 jars。

虽然在运行时，我收到以下错误

SEVERE: Exception sending context initialized event to listener 
instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException:
 nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: 
Invalid content was found starting with element 'csrf'. 
One of 
'{"http://www.springframework.org/schema/security":intercept-url,
 "http://www.springframework.org/schema/security":access-denied-handler, 
"http://www.springframework.org/schema/security":form-login, 
"http://www.springframework.org/schema/security":openid-login, 
"http://www.springframework.org/schema/security":x509, 
"http://www.springframework.org/schema/security":http-basic, 
"http://www.springframework.org/schema/security":logout, 
"http://www.springframework.org/schema/security":session-management, 
"http://www.springframework.org/schema/security":remember-me, 
"http://www.springframework.org/schema/security":anonymous, 
"http://www.springframework.org/schema/security":port-mappings, 
"http://www.springframework.org/schema/security":custom-filter, 
"http://www.springframework.org/schema/security":request-cache}' 
is expected.

我尝试在谷歌上搜索这个错误。我发现了几个类似的地方，但他们都说错误是由于 Spring 3.2+ 中的一些变化造成的。但是，就我而言，我使用的是 Spring 3.0.5。

任何帮助将不胜感激。

Answer 1

从
更新后出现同样的错误 春季 3.2.5 到 4.2.0
春季安全 3.1.4 到 4.0.2

我必须将架构位置从
http://www.springframework.org/schema/security/spring-security.xsd
致
http://www.springframework.org/schema/security/spring-security-4.0.xsd

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:osgi="http://www.springframework.org/schema/osgi" xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
          http://www.springframework.org/schema/osgi http://www.springframework.org/schema/osgi/spring-osgi.xsd
          http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

在您的情况下， 元素在 spring 3.0.5 中不存在。
因此更新到至少 3.2 将是解决方案。

Answer 2

我认为spring security的csrf快捷方式是在3.2.0版本中引入的（见blogpost）

也许你应该考虑更新你用过的 spring 版本