我需要Spring Security CSRF保护方面的帮助。当tomcat尝试使用CSRF保护访问tomcat上的jsp时出现403错误。有没有办法来解决这个问题?下面是整个spring-security.xml。
<beans:beans xmlns="http://www.springframework.org/schema/beans"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http pattern="/conf/**" access-denied-page="/mobiledoc/jsp/ContentManagement/login.jsp" auto-config="true" request-matcher="ant" use-expressions="true" disable-url-rewriting="true">
<security:intercept-url pattern="/**" access="denyAll"/>
</security:http>
<security:http pattern="/jsp/**" auto-config="true" request-matcher="ant" use-expressions="true" entry-point-ref="hubAuthEntryPoint" disable-url-rewriting="true">
<security:intercept-url pattern="/**/*.css" access="permitAll"/>
<security:intercept-url pattern="/**/images/**" access="permitAll"/>
<security:intercept-url pattern="/**/*.js" access="permitAll"/>
<security:intercept-url pattern="/**/img/**" access="permitAll"/>
<security:intercept-url pattern="/**/fonts/**" access="permitAll"/>
<security:intercept-url pattern="/mobiledoc/jsp/ContentManagement/login.jsp" access="permitAll"/>
<security:intercept-url pattern="/mobiledoc/jsp/ContentManagement/supportLogin.jsp" access="permitAll"/>
<security:intercept-url pattern="/mobiledoc/jsp/ContentManagement/supportLogout.jsp" access="permitAll"/>
<security:intercept-url pattern="/**/uadmin/simpleCaptcha.png" access="permitAll"/>
<security:intercept-url pattern="/**/uadmin/audio.wav" access="permitAll"/>
<security:intercept-url pattern="/mobiledoc/jsp/catalog/xml/**/*" access="permitAll"/>
<security:intercept-url pattern="/mobiledoc/jsp/catalog/xml/hl7/PushLabOrders.jsp" access="permitAll"/>
<security:intercept-url pattern="/mobiledoc/jsp/**/*" access="authenticated" />
<security:intercept-url pattern="/**" access="permitAll"/>
<security:logout logout-url="/mobiledoc/jsp/ContentManagement/supportLogout.jsp" invalidate-session="true" delete-cookies="JSESSIONID" />
<security:csrf request-matcher-ref="customCsrfRequestMatcher"/>
<security:headers>
<security:xss-protection />
</security:headers>
</security:http>
<security:http pattern="/**" request-matcher="ant" use-expressions="true" disable-url-rewriting="true" security="none"/>
<!-- hub specific entry point -->
<bean id="hubAuthEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/mobiledoc/jsp/ContentManagement/login.jsp"/>
<security:authentication-manager alias="authenticationManager" >
<security:authentication-provider ref="customAuthenticationProvider"/>
</security:authentication-manager>
<beans:bean id="customAuthenticationProvider" class="security.CustomAuthenticationProvider">
<beans:property name="userService" ref="customUserDetailsService"/>
</beans:bean>
<!-- Global beans common for all -->
<bean id="customCsrfRequestMatcher" class="security.CustomCsrfRequestMatcher"/>
<bean id="dataSource" class="security.SpringDataSource"/>
<beans:bean id="customUserDetailsService" class="security.CustomUserService">
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="usersByUsernameQuery" value="SELECT uname AS username, upwd AS password, 'true' AS enabled FROM users WHERE delflag=0 AND UserType IN (1,2) AND status = 0 AND ((uname!='' AND uname IS NOT NULL) OR uname=?)" />
<beans:property name="authoritiesByUsernameQuery" value="SELECT uname AS username, 'Default' AS role FROM users WHERE delflag=0 AND UserType IN (1,2) AND ((uname!='' AND uname IS NOT NULL) OR uname=?)" />
</beans:bean>
</beans:beans>
public class CustomCsrfRequestMatcher实现RequestMatcher {
// Disable CSFR protection on the following urls:
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private AntPathRequestMatcher[] requestMatchers = { new AntPathRequestMatcher("/jsp/**") };
private Pattern resourcePattern = Pattern.compile(".*?/jsp/.*?((/(images|img|css|js|fonts|Apptcss)/.*?)|.*.(js|css|png|jpg|woff|tld|gif))$");
private Pattern loginPage = Pattern.compile("(.*?/jsp/ContentManagement/login.jsp|.*?/jsp/ContentManagement/supportLogin.jsp)");
public boolean matches(HttpServletRequest request) {
if(allowedMethods.matcher(request.getMethod()).matches()){
return false;
}
if (resourcePattern.matcher(request.getRequestURL()).matches()) {
return false;
}
if(loginPage.matcher(request.getRequestURL()).matches()){
return false;
}
for (AntPathRequestMatcher rm : requestMatchers) {
if (rm.matches(request)) {
return true;
}
}
return false;
}
}
失败的电话是/mobiledoc/jsp/catalog/xml/hl7/PushLabOrders.jsp