我在不安全的页面上有以下表单,start.html:
<form action="approve" method="POST">
<button type="submit">Submit</button>
</form>
我使用Spring Boot starter security配置安全性如下:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/images/**", "/js/**", "/lib/**", "/fonts/**", "/start.html", "/approve")
.permitAll()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll();
}
提交表单时,它由控制器处理:
@Controller
@RequiredArgsConstructor
public class ApprovalController {
@RequestMapping("/approve")
public @ResponseBody void handleRequest(HttpServletResponse response) throws IOException {
//write to the output stream of response, etc.
}
}
但是当发布请求批准时,我收到以下错误:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
// current date
There was an unexpected error (type=Forbidden, status=403).
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
如何指定批准控制器的帖子应该是不安全的?
答案 0 :(得分:1)
您收到403因为您没有发送CSRF token。
您应该将CSRF令牌添加为表单的隐藏输入:
<input type='hidden' value='${_csrf.token}' name='${_csrf.parameterName}'/>