【发布时间】:2015-11-13 15:14:32
【问题描述】:
我在我的项目中在jsp和freemarker上应用了CSRF,效果很好。
下面是spring-security.xml中指定Web url的代码
<http xmlns="http://www.springframework.org/schema/security"
access-denied-page="/accessdenied" auto-config="true" use-expressions="true"
create-session="ifRequired">
<intercept-url pattern="/register" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<form-login login-page="/login"
authentication-failure-handler-ref="customAuthenticationFailureHandler"
authentication-success-handler-ref="mySimpleUrlAuthenticationSuccessHandler" />
<logout logout-success-url="/login?logout=true" delete-cookies="JSESSIONID"
invalidate-session="true" />
<csrf/>
</http>
下面是 REST API 中 spring-security.xml 的代码。我也尝试在 REST HTTP 标记中添加 CSRF 标记,但效果不佳。
<http pattern="/api/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/addpatient" access="ROLE_ADMIN"
method="POST" />
<intercept-url pattern="/api/addpatient/image/{p_id}"
access="ROLE_ADMIN" method="POST" />
<intercept-url pattern="/api/patients" access="ROLE_ADMIN"
method="GET" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- <csrf /> -->
<!-- <http-basic/> <form-login login-processing-url="/api" authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler" /> -->
</http>
REST 和 Web url 中的所有 POST 方法在我已应用安全性或添加到安全文件中的情况下都可以正常工作。但我想要一个 REST url 来注册新用户而不应用任何安全性。
当我从邮递员发送数据时,我得到以下控制台异常:
"10:09:48,749 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
10:09:48,749 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
10:10:10,723 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/adduser'; against '/oauth/token'
10:10:10,726 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/adduser'; against '/api/**'
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 1 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:10:10,726 DEBUG HttpSessionSecurityContextRepository:136 - No HttpSession currently exists
10:10:10,726 DEBUG HttpSessionSecurityContextRepository:90 - No SecurityContext was available from the HttpSession: null. A new one will be created.
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 2 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 3 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
10:10:10,727 DEBUG CsrfFilter:95 - Invalid CSRF token found for http://localhost:1522/si-server/adduser
enter into denied page
10:10:10,731 DEBUG cache:83 - Could not find template in cache, creating new one; id=["denied.ftl"["en_US",Cp1252,parsed] ]
10:10:10,791 DEBUG HttpSessionSecurityContextRepository:300 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
10:10:10,792 DEBUG HttpSessionSecurityContextRepository:300 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
10:10:10,797 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed"
附: 与我正在做同样事情的 web url 相比,只有没有安全性的 REST 不起作用。
【问题讨论】:
标签: spring-mvc spring-security csrf