【问题标题】:_csrf token is spring 3.2.8_csrf 令牌是 spring 3.2.8
【发布时间】:2016-02-20 10:58:13
【问题描述】:

我想保护我的应用程序免受 CSRF 攻击,所以我将它添加到我的 applicationContext.xml:

<security:global-method-security secured-annotations="enabled" />

        <security:http auto-config="true">
            <security:csrf/>    
            <security:intercept-url pattern="/**" access="permitAll"    />
        </security:http>

<security:authentication-manager/>  

这个到我的 web.xml

<!-- spring security csrf -->
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>fr.telecom.support.context.DevicesSecurityFilter</filter-class>
        </filter>    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

这是我的过滤器

public class DevicesSecurityFilter extends DelegatingFilterProxy {

    public DevicesSecurityFilter() {
        // TODO Auto-generated constructor stub
    }

    public DevicesSecurityFilter(Filter delegate) {
        super(delegate);
    }

    public DevicesSecurityFilter(String targetBeanName) {
        super(targetBeanName);
    }

    public DevicesSecurityFilter(String targetBeanName,
            WebApplicationContext wac) {
        super(targetBeanName, wac);
    }

    public void doFilter(ServletRequest request,
                         ServletResponse response,
                         FilterChain filterChain) throws ServletException, IOException {


        HttpServletRequest httpServletRequest;
        ThreadContext threadContext;

        if (request instanceof HttpServletRequest) {
            httpServletRequest = (HttpServletRequest) request;
            threadContext = ThreadContext.getInstance();

            try {
                EcasUser ecasUser = (EcasUser) httpServletRequest.getUserPrincipal();
                if (ecasUser != null) {
                    threadContext.setDomainUsername(ecasUser.getDomainUsername());
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
            threadContext.setUserID(httpServletRequest.getRemoteUser());
        }

        System.out.println ("filterChain -> " + filterChain );  

        if (filterChain != null) {

            filterChain.doFilter(request, response);

        }
    }

在我添加的 JSP 中

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 

但是当我运行程序并检查 JSP 时,这就是我发现的!并且没有抛出异常!

<input type="hidden" name="" value=""/> 

我想应该会出现这样的情况:

<input type="hidden" name="_csrf" value="8d0bf854-83a1-4fbf-a792-390a84ecf545"/>

【问题讨论】:

    标签: spring-mvc spring-security csrf csrf-protection


    【解决方案1】:

    首先,我想说扩展DelegatingFilterProxy 不是一个好主意。

    问题是委托永远不会被调用。

    一种可能的快速修复方法是将filterChain.doFilter 替换为:

    super.doFilter(request, response, filterChain);
    

    【讨论】:

      猜你喜欢
      • 2016-09-14
      • 2017-12-15
      • 2019-02-03
      • 2018-03-16
      • 2016-02-25
      • 2015-09-15
      • 2016-07-20
      • 2016-03-22
      相关资源
      最近更新 更多