升级到Spring Security 4，现在我无法登录

Question

我刚刚升级到Spring Security 4.2.3.RELEASE，现在我无法登录。具体来说，当我登录时，提交这些参数

OWASP_CSRFTOKEN ZLCK-J3VV-OJTK-8GZW-H68V-C8N6-CE6G-U6AQ
j_password aaa
j_username mouser

我收到错误

Could not verify the provided CSRF token because your session was not found.

你可以从上面清楚地看到它存在。下面是我的Spring安全配置。我需要检查什么才能使其正常工作？

<beans:bean id="mycoUsernamePasswordUrlAuthenticationFilter"
    class="org.collegeboard.myco.core.security.mycoUsernamePasswordUrlAuthenticationFilter">
    <beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationFailureHandler">
        <beans:bean
            class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
            <beans:property name="defaultFailureUrl" value="/login/failure" />
            <beans:property name="exceptionMappings" ref="exceptionMappings" />
        </beans:bean>
    </beans:property>
    <beans:property name="authenticationSuccessHandler">
        <beans:bean
            class="org.collegeboard.myco.security.mycoAuthenticationSuccessHandler">
            <beans:property name="defaultTargetUrl" value="/authenticate" />
            <beans:property name="sessionService" ref="sessionService" />
        </beans:bean>
    </beans:property>
</beans:bean> 

...     
<beans:bean id="loginUrlAuthenticationEntryPoint"
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg name="loginFormUrl" value="/login" />
</beans:bean>


<http name="defaultSecurity" security-context-repository-ref="mycoSecurityContextRepository"
    auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager"
    entry-point-ref="loginUrlAuthenticationEntryPoint">
    <!-- <access-denied-handler error-page="/denied"/> -->
    <custom-filter position="FORM_LOGIN_FILTER"
        ref="mycoUsernamePasswordUrlAuthenticationFilter" />
    <intercept-url pattern="/lti/launch" access="permitAll" />
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/status" access="permitAll" />
    <intercept-url pattern="/termsOfUse" access="permitAll" />
    <intercept-url pattern="/privacyPolicy" access="permitAll" />
    <intercept-url pattern="/contactUs" access="permitAll" />
    <intercept-url pattern="/legal" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
...
    <intercept-url pattern="/dwrsetcookie" access="isFullyAuthenticated()" />
    <intercept-url pattern="/dwrpageid" access="permitAll" />
    <logout invalidate-session="true" logout-success-url="/logout" logout-url="/j_spring_security_logout" />
</http>

<authentication-manager alias="authenticationManager" id="authenticationManager">
    <authentication-provider user-service-ref="sbdUserDetailsService">
        <password-encoder ref="passwordEncoder" />
    </authentication-provider>
</authentication-manager>

Answer 1

尝试将以下CSRF输入添加到您的登录jsp，

<input type="hidden" name="${_csrf.parameterName}"value="${_csrf.token}"/>

或者通过将以下内容添加到http标记

来禁用CSRF

<csrf disabled="true"/>