我有一个angularjs应用程序。此步骤用于注册用户,因此它是POST方法。提交注册表格的angularjs服务如下:
homeApp.factory('mainService', ['$http', function($http) {
var mainService = {};
mainService.signupArtist = function(data){
var promise = $http.post('../user/register/artist', data) .then(function(response) {
return response.data;
});
return promise;
}
return mainService;
}]);
我的弹簧安全设置为:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.2.xsd">
<http auto-config="false" use-expressions="true" entry-point-ref="customAuthenticationEntryPoint">
<intercept-url pattern="/artist/**" access="hasRole('ROLE_ARTIST')" />
<intercept-url pattern="customer/**" access="hasRole('ROLE_CUSTOMER')" />
<!-- access denied page -->
<access-denied-handler error-page="/user/403" />
<logout invalidate-session="true" logout-success-url="/user/login" />
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
<!-- enable csrf protection -->
<csrf/>
<custom-filter after="CSRF_FILTER" ref="csrfHeaderFilter" />
<csrf token-repository-ref="csrfTokenRepository" />
</http>
<!-- Select users and user_roles from database -->
<authentication-manager alias="authenticationManager">
<authentication-provider ref="authenticationProvider" >
</authentication-provider>
</authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
<beans:bean id="customAuthenticationEntryPoint"
class="com.tong.learn.service.security.CustomAuthenticationEntryPoint">
<beans:property name="loginPageUrl" value="/user/login" />
<beans:property name="returnParameterEnabled" value="true" />
<beans:property name="returnParameterName" value="r" />
</beans:bean>
<beans:bean id="authenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<!-- change here if customize form action
handler are for login with ajax POST -->
<beans:property name="authenticationFailureHandler"
ref="securityLoginFailureHandler" />
<beans:property name="authenticationSuccessHandler"
ref="securityLoginSuccessHandler" />
<beans:property name="passwordParameter" value="password" />
<beans:property name="usernameParameter" value="username" />
</beans:bean>
<beans:bean id="securityLoginSuccessHandler"
class="com.tong.learn.service.security.SecurityLoginSuccessHandler">
</beans:bean>
<beans:bean id="securityLoginFailureHandler"
class="com.tong.learn.service.security.SecurityLoginFailureHandler">
<beans:property name="defaultFailureUrl" value="/user/login" />
</beans:bean>
<beans:bean id="csrfHeaderFilter"
class="com.tong.learn.service.security.CsrfHeaderFilter" >
</beans:bean>
<beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository">
<beans:property name="headerName" value="X-XSRF-TOKEN" />
</beans:bean>
</beans:beans>
这些来自Spring website。
的链接当我提交表单时,服务器给出了405错误,这是意外的,因为我一直在本地主机上,而不是从不同的域请求某些东西。 cookie应该是正确的。
请求和响应如下:
General
Remote Address:[::1]:8080
Request URL:http://localhost:8080/learn/user/register/artist
Request Method:POST
Status Code:405 Method Not Allowed
Response Headers
view source
Allow:GET
Content-Language:en
Content-Length:1090
Content-Type:text/html;charset=ISO-8859-1
Date:Sun, 06 Sep 2015 03:48:16 GMT
Server:Apache-Coyote/1.1
Request Headers
view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Connection:keep-alive
Content-Length:2
Content-Type:application/json;charset=UTF-8
Cookie:JSESSIONID=2E77A6690C8F56BFA8F51AF37974BA1B; XSRF-TOKEN=2dfa09e4-9201-4b14-b2d3-fea8a9117be3
Host:localhost:8080
Origin:http://localhost:8080
Referer:http://localhost:8080/learn/home/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
X-Requested-With:XMLHttpRequest
X-XSRF-TOKEN:2dfa09e4-9201-4b14-b2d3-fea8a9117be3
我不知道出了什么问题。你能帮助我吗?感谢。
答案 0 :(得分:1)
更新:
检查这个类似SO的问题,其中有一个示例angularjs http拦截器直接获取csrf参数并在所有请求中添加标题。
默认angularJS的原因不起作用,如link
中所述默认情况下,AngularJS提供了一种实现跨站点请求伪造的机制,但此机制仅适用于cookie。由于Spring Security通过将令牌设置为HTTP参数来工作,因此AngularJS提供的现成解决方案无效。
正如spring-security-csrf-token-interceptor项目文档中所述 - “AngularJS拦截器在所有HTTP请求中设置Spring Security CSRF令牌信息” - 它通过调用头来接收X-CSRF -TOKEN,然后它存储此令牌并随每个http请求发送出去。
总结:添加上面项目中提到的角度拦截器来修复你的案例。检查该github项目中提到的示例。
答案 1 :(得分:0)
更新:
经过一些调查,我发现我误解了CORF(https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)的CSRF。保护CSRF攻击很重要。我认为只有在通过其他方式阻止CSRF时,您才可以绕过CsrfFilter。
=============================================== ==
之前我遇到过类似的问题。根据{{3}},启用SCRF后,CsrfFilter将拦截所有http请求,其中包含私有类DefaultRequiresCsrfMatcher。
private static final class DefaultRequiresCsrfMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
/* (non-Javadoc)
* @see org.springframework.security.web.util.matcher.RequestMatcher#matches(javax.servlet.http.HttpServletRequest)
*/
public boolean matches(HttpServletRequest request) {
return !allowedMethods.matcher(request.getMethod()).matches();
}
}
对于GET|HEAD|TRACE|OPTIONS方法,它将直接通过,而POST方法将根据其CSRF令牌进行检查。
因此,如果您不打算使用CSRF将POST URL公开给其他域,只需为CSRFFilter实现另一个Matcher,以绕过POST方法或某些URL模式。