介绍Spring Boot MVC应用程序 - 登录失败,因为无法验证提供的CSRF令牌,因为找不到您的会话

时间:2017-11-02 13:05:47

标签: spring-mvc spring-boot groovy spring-security

我正在尝试通过Spring Boot,Spring MVC和Spring Security编写一个简单的介绍性应用程序,但在提交我的登录表单后,由于403响应,我将重定向到Whitelabel错误页面。错误消息为Could not verify the provided CSRF token because your session was not found

有谁能告诉我我做错了什么?我应该以某种方式禁用登录端点的CSRF过滤吗?即使它似乎提到了一个CSRF令牌,我也没有在请求的标题或表单数据中看到...这可能是问题 - 我甚至没有提供CSRF令牌?< / p>

/build.gradle 

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.springframework.boot:spring-boot-gradle-plugin:1.5.7.RELEASE'
    } 
}

apply plugin: 'groovy' 
apply plugin: 'java' 
apply plugin: 'war' 
apply plugin: 'idea' 
apply plugin: 'org.springframework.boot'

sourceCompatibility = 1.8

repositories {
    mavenCentral() 
}

dependencies {
    compile ('org.springframework.boot:spring-boot-starter-web') {
        exclude module: 'spring-boot-starter-tomcat'
    }
    compile 'org.springframework.boot:spring-boot-starter-jetty'
    compile 'org.springframework.boot:spring-boot-starter-actuator'
    compile 'org.springframework.boot:spring-boot-starter-security'
    compile 'org.codehaus.groovy:groovy-all:2.3.11'
    compile 'javax.servlet:jstl:1.2'
    testCompile group: 'junit', name: 'junit', version: '4.12'
    testCompile 'org.springframework.boot:spring-boot-starter-test'
    testCompile 'org.springframework.security:spring-security-test' 
}

/src/main/groovy/my.little.app.Application.groovy 

@SpringBootApplication
@EnableWebMvc
@EnableAutoConfiguration
@ComponentScan
class Application extends AbstractAnnotationConfigDispatcherServletInitializer {
    protected Class<?>[] getRootConfigClasses() {
        return [WebMvcConfig.class, WebSecurityConfig.class]
    }
    protected Class<?>[] getServletConfigClasses() {
        return [WebMvcConfig.class, WebSecurityConfig.class]
    }
    protected String[] getServletMappings() {
        return [ "/" ]
    }

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args)
    }
}

/src/main/groovy/my.little.app.MainController.groovy 

@Controller
class MainController {
    @RequestMapping(path = '/', method = RequestMethod.GET)
    public String index() {
        return 'index'
    }
}

/src/main/groovy/my.little.app.config.WebMvcConfig.groovy 

@Configuration
@ComponentScan('my.little.app')
@EnableWebMvc
class WebMvcConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        super.addViewControllers(registry)
        registry.addViewController('/index').setViewName('index')
        registry.addViewController('/login').setViewName('login')
        registry.addViewController('/secure_page').setViewName('secure_page')
    }

    @Override
    public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
        configurer.enable();
    }

    @Bean
    public ViewResolver internalResourceViewResolver() {
        InternalResourceViewResolver bean = new InternalResourceViewResolver()
        // bean.setViewClass(JstlView.class)
        bean.setPrefix('/WEB-INF/views/')
        bean.setSuffix('.jsp')
        return bean
    }
}

/src/main/groovy/my.little.app.config.WebSecurityConfig.groovy 

@Configuration
@EnableWebMvc
@EnableWebSecurity
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity security) {
        security
            .authorizeRequests()
                .antMatchers('/', '/index').permitAll()
                .antMatchers('/login').anonymous()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage('/login').permitAll()
                .defaultSuccessUrl('/secure_page')
                .failureUrl('/login?error=true')
                .and()
            .logout()
                .permitAll()
                .logoutSuccessUrl('/login')

    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authBuilder) {
        authBuilder
            .inMemoryAuthentication()
                .withUser('doug').password('las').roles('WIZARD')
    }
}

/src/main/webapp/WEB-INF/views/index.jsp 

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Web Security Tutorial</title>
    </head>
    <body>
        <div>Welcome to the Web Security Tutorial</div>
        <form method="get" action="/login">
            <input type="submit" value="Sign In" />
        </form>
    </body>
</html>

/src/main/webapp/WEB-INF/views/login.jsp 

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Web Security Tutorial</title>
    </head>
    <body>
        <form method="post" action="login">
            <div><label> User name: <input name="username" type="text"/></label></div>
            <div><label> Password: <input name="password" type="password"/></label></div>
            <div><input type="submit" value="Sign In"/></div>
        </form>
    </body>
</html>

/src/main/webapp/WEB-INF/views/secure_page.jsp 

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <title>Web Security Tutorial</title>
    </head>
    <body>
        <div>Don't worry, no one can see this but you. Here are your deepest darkest secrets...</div>
        <form action="/logout">
            <input type="submit" value="Log Out"/>
        </form>
    </body>
</html>

0 个答案:

没有答案
相关问题
最新问题