我希望在启用CSRF的情况下将cURL用于HTTP POST请求,但我总是得到相同的错误。这是我的代码:
Spring安全配置:
http
.exceptionHandling()
.authenticationEntryPoint(new Http401UnauthorizedEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/cim/**").hasRole("USER")
.and()
.formLogin()
.passwordParameter("password")
.usernameParameter("username")
.loginProcessingUrl("/cim/login")
.failureHandler(authFailHandler)
.successHandler(authSuccessHandler)
.and()
.logout()
.logoutUrl("/cim/logout")
.and()
.addFilterAfter(new XSRFHeaderFilter(), CsrfFilter.class);
cURL致电:
curl -H "Accept: application/json" -H "Content-type: application/json" -X POST -d '{"type": "journey","descriptif": "rmrmrmrmr","hash":"KQJ4pj6Vy6SL99ynkNnjcGRkwr5eAwceakxbAE8xH5lvno1ZDJcW4RamRmwMuqx7pBXqvpHa8n5lMKjLHr8p","name":"shop_achat_2015-09-15_2015-09-15rmrmr","user": "admin"}' http://localhost:8080/cim/explore/form
错误:
<p>Problem accessing /cim/explore/form. Reason:
<pre> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.NullPointerException
at fr.aid.cim.web.security.audit.MultiReadHttpServletRequest.getValueParameter(MultiReadHttpServletRequest.java:140)
at fr.aid.cim.web.security.audit.MultiReadHttpServletRequest.getParameter(MultiReadHttpServletRequest.java:86)
at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:194)
at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:194)
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:91)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1699)
at fr.aid.cim.web.security.audit.RequestWrapperFilter.doFilter(RequestWrapperFilter.java:27)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1691)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
at org.eclipse.jetty.server.Server.handle(Server.java:523)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)
at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
at java.lang.Thread.run(Thread.java:745)
XSRFHeaderFilter.java
public class XSRFHeaderFilter extends OncePerRequestFilter {
public static final String XSRF_TOKEN = "XSRF-TOKEN";
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, XSRF_TOKEN);
String token = csrf.getToken();
if (cookie==null || token!=null && !token.equals(cookie.getValue())) {
cookie = new Cookie(XSRF_TOKEN, token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
}
注意: 问题是csrf我无法修复它,因为当我在Springconfig中添加csrf()。disable()时运行良好但我想启用csrf