_csrf令牌是spring 3.2.8

时间:2015-11-18 15:55:52

标签: spring-mvc spring-security csrf csrf-protection

我想保护我的应用程序免受CSRF攻击,因此我将其添加到我的applicationContext.xml:

<security:global-method-security secured-annotations="enabled" />

        <security:http auto-config="true">
            <security:csrf/>    
            <security:intercept-url pattern="/**" access="permitAll"    />
        </security:http>

<security:authentication-manager/>

这到我的web.xml 

<!-- spring security csrf -->
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>fr.telecom.support.context.DevicesSecurityFilter</filter-class>
        </filter>    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

和我的过滤器

public class DevicesSecurityFilter extends DelegatingFilterProxy {

    public DevicesSecurityFilter() {
        // TODO Auto-generated constructor stub
    }

    public DevicesSecurityFilter(Filter delegate) {
        super(delegate);
    }

    public DevicesSecurityFilter(String targetBeanName) {
        super(targetBeanName);
    }

    public DevicesSecurityFilter(String targetBeanName,
            WebApplicationContext wac) {
        super(targetBeanName, wac);
    }

    public void doFilter(ServletRequest request,
                         ServletResponse response,
                         FilterChain filterChain) throws ServletException, IOException {


        HttpServletRequest httpServletRequest;
        ThreadContext threadContext;

        if (request instanceof HttpServletRequest) {
            httpServletRequest = (HttpServletRequest) request;
            threadContext = ThreadContext.getInstance();

            try {
                EcasUser ecasUser = (EcasUser) httpServletRequest.getUserPrincipal();
                if (ecasUser != null) {
                    threadContext.setDomainUsername(ecasUser.getDomainUsername());
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
            threadContext.setUserID(httpServletRequest.getRemoteUser());
        }

        System.out.println ("filterChain -> " + filterChain );  

        if (filterChain != null) {

            filterChain.doFilter(request, response);

        }
    }

并在JSP中添加了

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

但是当我运行程序并使用JSP时,这就是我找到的!并且没有异常被抛出!

<input type="hidden" name="" value=""/>

我想这样的事情会出现:

<input type="hidden" name="_csrf" value="8d0bf854-83a1-4fbf-a792-390a84ecf545"/>

1 个答案:

答案 0 :(得分:0)

首先,我想说延长DelegatingFilterProxy不是一个好主意。

问题是委托永远不会被调用。

可能的quickfix是将filterChain.doFilter替换为:

super.doFilter(request, response, filterChain);
相关问题
最新问题