我想使用http post将数据从jsp页面发布到我的控制器。问题是,当我启用csrf请求没有发送但是我想启用csrf可以帮助我吗?
针对home.jsp
ESTspringsecurity.xml
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.0/jquery.min.js"></script>
<title>Insert title here</title>
</head>
<body>
hello there !!!<br>
<button type="button" onclick="location.href='${pageContext.request.contextPath}/create';"> start workflow</button> <br>
<button type="button" onclick="location.href='${pageContext.request.contextPath}/workflows';"> View Workflows</button> <br>
<button type="button" onclick="sendDataWithJson();"> View data</button> <br>
<a href="${pageContext.request.contextPath}/login">login</a>
<p>Parameter from home ${pageContext.request.userPrincipal.name}</p>
</body>
<script type="text/javascript">
function success(data){
alert("success");
}
function error(data){
alert("error");
}
function sendDataWithJson(){
$.ajax({
type: 'POST',
url: '<c:url value="/sendmessage" />',
data: JSON.stringify({"text":"bla bla bla","name":"MED"}),
success:success,
error:error,
contentType: "application/json",
dataType: "json"
});
}
</script>
</html>
控制器
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<security:authentication-manager>
<security:ldap-authentication-provider
user-search-filter="(uid={0})" user-search-base="ou=users"
group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
group-role-attribute="cn" role-prefix="ROLE_" />
</security:authentication-manager>
<security:ldap-server url="ldap://localhost:8389/o=mojo"
manager-dn="uid=admin,ou=system" manager-password="secret" />
<security:http use-expressions="true">
<security:intercept-url pattern="/" access="permitAll"/>
<security:intercept-url pattern="/next" access="permitAll" />
<security:intercept-url pattern="/workflows" access="isAuthenticated()"/>
<security:intercept-url pattern="/getmessages" access="isAuthenticated()"/>
<security:intercept-url pattern="/sendmessage" access="permitAll"/>
<security:form-login login-page="/login"
login-processing-url="/login"
authentication-failure-url="/login.html?error=true"
username-parameter="username"
password-parameter="password"
/>
<security:csrf/>
</security:http>
</beans>
答案 0 :(得分:2)
您可以在使用csrf时将jsp值添加到html:
<meta name="_csrf_param" content="${_csrf.parameterName}"/>
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
这将从会话中呈现crsf值。
现在您正在使用ajax,您应该在标头中添加csrf令牌,您可以扩展jquery:
$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});