我一直试图弄清楚为什么隐藏的csrf字段不会自动添加到我的登录表单中。 我使用Spring 4.1.1和Spring Security 4.0.1以及Thymeleaf 2.1.4。
我能找到解决问题的方法是使用thymeleaf中的_csrf变量手动添加字段(尽管_csrf对我来说是空的),或者在Java配置中使用@EnableWebMvcSecurity。 但是,我使用xml来配置安全性,并希望保持这种方式。 这一切归结为:我可以添加什么来安全xml,以使百万美元生成csrf令牌字段?
我目前的配置是:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<!-- **************************************************************** -->
<!-- RESOURCE FOLDERS CONFIGURATION -->
<!-- Dispatcher configuration for serving static resources -->
<!-- **************************************************************** -->
<mvc:resources mapping="/dist/**" location="file:/var/www/meubelplan/dist/"/>
<mvc:resources mapping="/css/**" location="file:/var/www/meubelplan/css/"/>
<mvc:resources mapping="/js/**" location="file:/var/www/meubelplan/js/"/>
<mvc:resources mapping="/images/**" location="file:/var/www/meubelplan/images/"/>
<!-- **************************************************************** -->
<!-- SPRING ANNOTATION PROCESSING -->
<!-- **************************************************************** -->
<mvc:annotation-driven/>
<context:component-scan base-package="com.wwk.meubelplan"/>
<!-- **************************************************************** -->
<!-- SPRING SECURITY -->
<!-- **************************************************************** -->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="sem" password="rtyfghvbn" authorities="ROLE_USER" />
<security:user name="winnie" password="ikbenwinnie" authorities="ROLE_USER" />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
<security:http pattern="/account/login" security="none"/>
<security:http pattern="/account/logout" security="none"/>
<security:http pattern="/account/create" security="none"/>
<security:http use-expressions="false">
<security:csrf/>
<security:intercept-url pattern='/account/**' access='ROLE_USER' />
<security:form-login login-page='/account/login' default-target-url='/account' always-use-default-target='true'/>
<security:logout logout-url="/account/logout" delete-cookies="JSESSIONID" logout-success-url="/account/login"/>
</security:http>
<!-- **************************************************************** -->
<!-- THYMELEAF-SPECIFIC ARTIFACTS -->
<!-- TemplateResolver <- TemplateEngine <- ViewResolver -->
<!-- **************************************************************** -->
<bean id="templateResolver"
class="org.thymeleaf.templateresolver.FileTemplateResolver">
<property name="prefix" value="/var/www/meubelplan/" />
<property name="suffix" value=".html" />
<property name="templateMode" value="HTML5" />
<property name="characterEncoding" value="UTF-8" />
<property name="cacheable" value="false"/>
</bean>
<bean id="templateEngine"
class="org.thymeleaf.spring4.SpringTemplateEngine">
<property name="templateResolver" ref="templateResolver" />
</bean>
<bean class="org.thymeleaf.spring4.view.ThymeleafViewResolver">
<property name="templateEngine" ref="templateEngine" />
<property name="characterEncoding" value="UTF-8" />
</bean>
</beans>
我的表格的百里叶模板是:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head th:include="partials/general/head"></head>
<body>
<div class="container">
<nav th:replace="partials/general/navbar"></nav>
<div th:replace="partials/general/logobar"></div>
<div class="row">
<div class="col-md-6 col-md-offset-3">
<br/><br/>
<div class="panel panel-default">
<div class="panel-heading">Login om uw account gegevens te bekijken</div>
<div class="panel-body">
<form name="loginForm" method="POST" th:action="@{'~/account'}">
<div class="form-group">
<label for="username">Email address</label>
<input type="text" class="form-control" id="username" name="username" placeholder="Gebruikersnaam"/>
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" class="form-control" id="password" name="password" placeholder="Password"/>
</div>
<button type="submit" class="btn btn-default" value="Submit">Inloggen</button>
</form>
</div>
</div>
</div>
</div>
</div><!-- /.container -->
<span th:replace="partials/general/scripts"></span>
</body>
</html>
提前感谢任何指向正确方向的指示:)
此致
了Sem
答案 0 :(得分:1)
如果它没有自动插入CSRF令牌,您可以强制它通过以下行:
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
答案 1 :(得分:0)
我在其他问题中找到了所需的信息: spring security 3.2.0 csrf token not working in freemarker template
答案是:
将以下xml添加到xml配置中将使thymeleaf能够自动将csrf令牌输入添加到表单中。
的security.xml
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"/>
<bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
<constructor-arg>
<bean class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<property name="headerName" value="X-SECURITY" />
</bean>
</constructor-arg>
</bean>
的web.xml
<filter>
<filter-name>csrfFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>csrfFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>