我正在使用springs-security.xml inOrder来配置csrf令牌。
csrf令牌是通过defualt启用的。即使我在配置文件中手动启用了csrf令牌。这是我的配置文件。
springs-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<security:http auto-config="true">
<security:access-denied-handler error-page="/denied"/>
<security:form-login login-page="/login"
username-parameter="j_username"
password-parameter="j_password"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login?failed=true"
default-target-url="/Hello" always-use-default-target="true"/>
<!-- <security:custom-filter ref="secfilter" before="FILTER_SECURITY_INTERCEPTOR" /> -->
<security:logout invalidate-session="false" logout-url="/j_spring_security_logout" logout-success-url="/logout"/>
<security:csrf />
<security:headers>
<security:frame-options disabled="true"/>
</security:headers>
</security:http>
Jsp
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
<input type="hidden" id="parameterName" value="${_csrf.parameterName}" />
<input type="hidden" id="token" value="${_csrf.token}" />
这些是我的配置文件。
我正在使用Ajax调用与服务器端进行通信。
return $http({
url: 'getCity?' + angular.element('#parameterName').val() + '=' + angular.element('#token').val(),
method: "POST"
})
这里我想测试csrf是否正常工作。我如何测试。
答案 0 :(得分:2)
您可以通过以下两种方式对其进行测试:
<td><button ng-click="removeRow(customer)">X</button></td>
$scope.removeRow = function (customer) {
var index = customers.findIndex(x => x.custId ==customer.custId);
$scope.customers.splice(index, 1);
};
$scope.removeRows = function () {
$scope.customers = $scope.customers.filter(i=>i.checked==false);
};
元素并编辑令牌值。触发POST提交。这通常会导致错误,HTTP状态403。