【发布时间】:2016-02-20 10:58:13
【问题描述】:
我想保护我的应用程序免受 CSRF 攻击,所以我将它添加到我的 applicationContext.xml:
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:csrf/>
<security:intercept-url pattern="/**" access="permitAll" />
</security:http>
<security:authentication-manager/>
这个到我的 web.xml
<!-- spring security csrf -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>fr.telecom.support.context.DevicesSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这是我的过滤器
public class DevicesSecurityFilter extends DelegatingFilterProxy {
public DevicesSecurityFilter() {
// TODO Auto-generated constructor stub
}
public DevicesSecurityFilter(Filter delegate) {
super(delegate);
}
public DevicesSecurityFilter(String targetBeanName) {
super(targetBeanName);
}
public DevicesSecurityFilter(String targetBeanName,
WebApplicationContext wac) {
super(targetBeanName, wac);
}
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
HttpServletRequest httpServletRequest;
ThreadContext threadContext;
if (request instanceof HttpServletRequest) {
httpServletRequest = (HttpServletRequest) request;
threadContext = ThreadContext.getInstance();
try {
EcasUser ecasUser = (EcasUser) httpServletRequest.getUserPrincipal();
if (ecasUser != null) {
threadContext.setDomainUsername(ecasUser.getDomainUsername());
}
} catch (Exception e) {
e.printStackTrace();
}
threadContext.setUserID(httpServletRequest.getRemoteUser());
}
System.out.println ("filterChain -> " + filterChain );
if (filterChain != null) {
filterChain.doFilter(request, response);
}
}
在我添加的 JSP 中
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
但是当我运行程序并检查 JSP 时,这就是我发现的!并且没有抛出异常!
<input type="hidden" name="" value=""/>
我想应该会出现这样的情况:
<input type="hidden" name="_csrf" value="8d0bf854-83a1-4fbf-a792-390a84ecf545"/>
【问题讨论】:
标签: spring-mvc spring-security csrf csrf-protection