在JSF / Spring Security应用程序中启用JSF 2.2 CSRF保护会导致受保护的视图异常

Question

我尝试使用标准的JSF机制在我的login.xhtml表单中实现CSRF保护，如下所示： faces-config.xml中：

<protected-views>  
    <url-pattern>/login.xhtml</url-pattern>  
</protected-views> 

我的应用程序是标准的Maven Web应用程序（primefaces 5.0 / JSF 2.2 / Spring Security 3.2.5）。尝试打开登录页面时出现以下错误：

javax.faces.application.ProtectedViewException  
at com.sun.faces.lifecycle.RestoreViewPhase.maybeTakeProtectedViewAction(RestoreViewPhase.java:310)  
at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:231)  
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)  
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:121)  
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198)  
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:646)  
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682)  
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:344)  
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)  
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)  
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)  
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)  
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)  
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)  
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)  
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)  
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)  
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)  
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)  
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)  
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)  
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)  
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)  
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)  
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)  
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)  
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)  
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)  
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)  
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)  
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)  
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)  
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)  
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)  
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)  
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)  
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)  
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)  
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)  
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)  
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)  
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)  
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)  
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)  
at java.lang.Thread.run(Thread.java:744)

我还创建了空的JSF页面，没有任何Spring元素，并且具有相同的错误。关于CSRF保护的Oracle教程在我的Netbeans / Glassfish配置上没有任何问题。没有CSRF的我的应用程序也可以正常工作，具有授权和登录后的正确重定向。

P.S。我更喜欢使用JSF csrf保护。但我也尝试使用Spring csrf，并且找不到有关如何将令牌包含到JSF中的任何教程。我收到错误，该字段不可写。javax.el.PropertyNotWritableException: /login.xhtml @17,85 value="#{_csrf.token}": The class 'org.springframework.security.web.csrf.DefaultCsrfToken' does not have a writable property 'token'.请您推荐我关于此问题的任何资源。