500 XSRF令牌不匹配(null)。会话可能已过期

时间:2014-06-27 05:50:39

标签: post broadleaf-commerce

我正在尝试调用其余API,以便在POST方法上使用/ api / v1 / cart创建购物车。我尝试了无客户ID。但仍面临错误。有配置??任何帮助都会很棒。 下面是jetty服务器的stackrace

HTTP错误500

访问/ api / v1 / cart时出现问题。原因: 

    XSRF token mismatch (null). Session may be expired.

由以下原因引起:

org.broadleafcommerce.common.exception.ServiceException:XSRF令牌不匹配(null)。会话可能已过期。     在org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl.compareToken(ExploitProtectionServiceImpl.java:122)     在org.broadleafcommerce.common.security.handler.CsrfFilter.doFilter(CsrfFilter.java:79)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:342)     在org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:342)     在org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:342)     在org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:342)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:330)     在org.broadleafcommerce.common.web.filter.EstablishSessionFilter.doFilter(EstablishSessionFilter.java:43)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:342)     在org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:180)     在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:342)     在org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)     在org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)     在org.springframework.security.web.FilterChainProxy $ VirtualFilterChain.doFilter(FilterChainProxy.java:342)     在org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)     在org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)     在org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)     在org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)     at org.eclipse.jetty.servlet.ServletHandler $ CachedChain.doFilter(ServletHandler.java:1302)     在com.anvayin.webapp.CustomCORSFilter.doFilter(CustomCORSFilter.java:38)     at org.eclipse.jetty.servlet.ServletHandler $ CachedChain.doFilter(ServletHandler.java:1302)     在org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)     在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)     at org.eclipse.jetty.servlet.ServletHandler $ CachedChain.doFilter(ServletHandler.java:1302)     在org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:448)     在org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)     在org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)     在org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)     在org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1067)     在org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:377)     在org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:192)     at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1001)     在org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)     at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)     在org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)     在org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)     在org.eclipse.jetty.server.Server.handle(Server.java:360)     at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:454)     at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:890)     at org.eclipse.jetty.server.AbstractHttpConnection $ RequestHandler.headerComplete(AbstractHttpConnection.java:944)     在org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:630)     在org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:230)     at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:77)     在org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:622)     在org.eclipse.jetty.io.nio.SelectChannelEndPoint $ 1.run(SelectChannelEndPoint.java:46)     在org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)     在org.eclipse.jetty.util.thread.QueuedThreadPool $ 3.run(QueuedThreadPool.java:538)     在java.lang.Thread.run(Thread.java:744)

-

谢谢, Sneha

1 个答案:

答案 0 :(得分:1)

确保您网站的web.xmlapplicationContext-rest-api.xml已包含在patchConfigLocations 上方 applicationContext-security.xml的列表中。对于以applicationContext-rest-api.xml开头的所有路径,blCsrfFilte排除了/api/ r:

<!-- Set up Spring security for the RESTful API -->
<sec:http pattern="/api/**" create-session="stateless">
    <sec:http-basic />
    <sec:custom-filter ref="blRestPreSecurityFilterChain" before="CHANNEL_FILTER"/>
    <sec:custom-filter ref="blRestCustomerStateFilter" after="REMEMBER_ME_FILTER"/>
    <sec:custom-filter ref="blRestPostSecurityFilterChain" after="SWITCH_USER_FILTER"/>
</sec:http>

如果您没有该部分,则Spring Security会将blCsrfFilter放入安全过滤器链中,该安全过滤器链是该站点所必需的,但应在Rest API中排除。来自applicationContext-security.xml:

<sec:http auto-config="false" authentication-manager-ref="blAuthenticationManager" disable-url-rewriting="true">
    <!-- We handle session fixation protection ourselves  -->
    <sec:session-management session-fixation-protection="none" />

   <!-- .................................. -->
   <!-- Other configuration excluded -->
   <!-- .................................. -->

    <!-- Specify our custom filters -->
    <sec:custom-filter ref="blPreSecurityFilterChain" before="CHANNEL_FILTER"/>
    <sec:custom-filter ref="blCsrfFilter" before="FORM_LOGIN_FILTER"/>
    <sec:custom-filter ref="blSessionFixationProtectionFilter" before="SESSION_MANAGEMENT_FILTER"/>
    <sec:custom-filter ref="blPostSecurityFilterChain" after="SWITCH_USER_FILTER"/>
</sec:http>
相关问题
最新问题