我正在开发一个Springboot应用程序,它具有使用spring security的注册和登录表单。我正在使用HTML5进行视图,但我不知道如何添加CSRF令牌。目前我正在获得whitelabel错误页面:
Whitelabel错误页面
此应用程序没有/ error的显式映射,因此您将此视为后备。
2016年10月22日星期六09:07:06 BST 2016 出现意外错误(type = Forbidden,status = 403)。 在请求参数'_csrf'或标题'X-CSRF-TOKEN'上找到无效的CSRF令牌'null'。
这是我的注册HTML表单:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:th="http://www.thymeleaf.org">
<head lang="en">
<meta charset="UTF-8"/>
<title>Registration</title>
<!-- Bootstrap core CSS -->
<link href="css/bootstrap.min.css" rel="stylesheet" />
<link href="css/common.css" rel="stylesheet" />
</head>
<body>
<div class="container">
<form method="POST" modelAttribute="userForm" class="form-signin">
<h2 class="form-signin-heading">Create your account</h2>
<bind path="username">
<div class="form-group ${status.error ? 'has-error' : ''}">
<input type="text" path="username" class="form-control" placeholder="Username"
autofocus="true"/>
<errors path="username"></errors>
</div>
</bind>
<bind path="password">
<div class="form-group ${status.error ? 'has-error' : ''}">
<input type="password" path="password" class="form-control" placeholder="Password"/>
<errors path="password"></errors>
</div>
</bind>
<bind path="passwordConfirm">
<div class="form-group ${status.error ? 'has-error' : ''}">
<input type="password" path="passwordConfirm" class="form-control"
placeholder="Confirm your password"/>
<errors path="passwordConfirm"></errors>
</div>
</bind>
<button class="btn btn-lg btn-primary btn-block" type="submit">Submit</button>
</form>
</div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</body>
</html>
我不想从Spring安全性中禁用CSRF,因为它会保护应用程序。
非常感谢
安德烈
编辑:
我试过这个但是没有用:
<input type="hidden" id= "csrf-token" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
<button class="btn btn-lg btn-primary btn-block" type="submit">Submit</button>
错误:
2016-10-22 11:55:56.452 ERROR 18960 --- [nio-8080-exec-7] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.NullPointerException] with root cause
java.lang.NullPointerException: null
at com.golosinaspitufos.security.validator.UserValidator.validate(UserValidator.java:25) ~[classes/:na]
at com.golosinaspitufos.security.web.UserController.registration(UserController.java:35) ~[classes/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_101]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_101]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_101]
用户控制器类:
@Controller
public class UserController {
@Autowired
private UserService userService;
@Autowired
private SecurityService securityService;
@Autowired
private UserValidator userValidator;
@RequestMapping(value = "/registration", method = RequestMethod.GET)
public String registration(Model model) {
model.addAttribute("userForm", new User());
return "registration";
}
@RequestMapping(value = "/registration", method = RequestMethod.POST)
public String registration(@ModelAttribute("userForm") User userForm, BindingResult bindingResult, Model model) {
userValidator.validate(userForm, bindingResult);
if (bindingResult.hasErrors()) {
return "registration";
}
userService.save(userForm);
securityService.autologin(userForm.getUsername(), userForm.getPasswordConfirm());
return "redirect:/welcome";
}
@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(Model model, String error, String logout) {
if (error != null)
model.addAttribute("error", "Your username and password is invalid.");
if (logout != null)
model.addAttribute("message", "You have been logged out successfully.");
return "login";
}
@RequestMapping(value = {"/", "/welcome"}, method = RequestMethod.GET)
public String welcome(Model model) {
return "welcome";
}
}