redis spring会话中的CSRF令牌

时间:2016-07-02 13:52:21

标签: spring spring-security redis csrf spring-session

我正在尝试在spring session redis中添加CSRF令牌,以便在群集中运行webapp。

需要Spring Java config / xml(旧版本)

的解决方案

我已经在会话部分使用RedisHttpSessionConfiguration(在第一阶段实现)

我的WebSecurityConfig是

package com.groupon.website.config;

import javax.servlet.FilterRegistration;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

private Logger logger = LogManager.getLogger(WebSecurityConfig.class);
@Autowired
@Qualifier("csrfSecurityRequestMatcher")
RequestMatcher csrfSecurityRequestMatcher;

@Autowired
@Qualifier("redisCsrfTokenRepository")
private  CsrfTokenRepository redisCsrfTokenRepository;

@Override
protected void configure(HttpSecurity http) throws Exception {
    logger.info("Inside WebSecurityConfig");

    //403 issue


    http.headers().xssProtection().and().csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher)
            .csrfTokenRepository(redisCsrfTokenRepository)
        ;

    }

  }

CsrfTokenRepository是RedisCsrfTokenRepository

package com.groupon.website.config;


import java.util.UUID;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.session.ExpiringSession;
 import org.springframework.session.data.redis.RedisOperationsSessionRepository;
 import org.springframework.stereotype.Component;
 import org.springframework.util.SerializationUtils;

 import redis.clients.jedis.Jedis;

 @Component
 public class RedisCsrfTokenRepository implements         CsrfTokenRepository,InitializingBean {

private static final Logger log =           LoggerFactory.getLogger(RedisCsrfTokenRepository.class);

public static final String CSRF_PARAMETER_NAME = "_csrf";

public static final String CSRF_HEADER_NAME = "X-CSRF-TOKEN";

@Value("${redis.host.name}")
private String redisHostName;
@Value("${redis.port}")
private int redisPort;

private Jedis tokenRepository;

@Autowired
private JedisConnectionFactory jedisConnectionFactory;

//@Autowired
//private RedisOperationsSessionRepository sessionRepository;


 public RedisCsrfTokenRepository() {
    log.info("Creating {}", RedisCsrfTokenRepository.class.getSimpleName());

}

@Override
public CsrfToken generateToken(HttpServletRequest request) {
    return new DefaultCsrfToken(CSRF_HEADER_NAME, CSRF_PARAMETER_NAME, createNewToken());
}

@Override
public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
    String key = getKey(request);
    if (key == null)
        return;

    if (token == null) {
        //Use connection factory
        //tokenRepository.del(key.getBytes());
        jedisConnectionFactory.getConnection().del(key.getBytes());
    } else {
        //Use connection factory
        //tokenRepository.set(key.getBytes(), SerializationUtils.serialize(token));
        jedisConnectionFactory.getConnection().set(key.getBytes(), SerializationUtils.serialize(token));
    }

}

@Override
public CsrfToken loadToken(HttpServletRequest request) {
    String key = getKey(request);
    if (key != null) {
        //Use connection factory
        //byte[] tokenString = tokenRepository.get(key.getBytes());
        byte[] tokenString = jedisConnectionFactory.getConnection().get(key.getBytes());
        if (tokenString != null) {
            return (CsrfToken) SerializationUtils.deserialize(tokenString);
        }
    }
    return null;
}

private String getKey(HttpServletRequest request) {

    //getKey going to be changed
    HttpSession session = request.getSession(false);
    //RedisOperationsSessionRepository sessionRepository = new RedisOperationsSessionRepository(redisConnectionFactory)

    //ExpiringSession session = sessionRepository.getSession(request.getSession().getId());
    if (session == null) {
        return null;
    }

    String result = session.getId()+CSRF_PARAMETER_NAME;
    //String result = request.getHeader("X-CSRF-TOKEN");
    return result;
}

private String createNewToken() {
    return UUID.randomUUID().toString();
}

@Override
public void afterPropertiesSet() throws Exception {
    tokenRepository = new Jedis(redisHostName, redisPort, 30000);
}
}

(没有使用tokenRpository,我只是复制粘贴代码,但正在使用jedisConnectionFatcory)

我仍然断断续续地得到403以表明没有获得CSRF令牌。

仅显示了java配置。有人可以帮帮我吗。

1 个答案:

答案 0 :(得分:0)

我们已经通过更改我们的RedisCsrfTokenRepository来解决它,而不是

来获取密钥
HttpSession session = request.getSession(false);

我们正在使用

Cookie sessionCookies = WebUtil.getCookie (request, WebAppConstants.SESSION);


if (sessionCookies == null || sessionCookies.getValue() == null) {
    return null;
}

String sessionId = sessionCookies.getValue();

因为我们正在使用有效的cookie。

在管道中,更改defaultSessionFilter以便不需要进行此更改。