Cookies.get(' XSRF-TOKEN')返回undefined(spring web jar)

时间:2018-04-28 11:44:58

标签: java spring-boot spring-security csrf webjars

我关注百里香的页面:

<!DOCTYPE html>
<html lang="en" ng-app="springChat" xmlns:th="http://www.springframework.org/schema/beans">
<head>
    <meta charset="utf-8"/>
    <title>Spring WebSocket Chat</title>
    <script type="text/javascript" src="/webjars/js-cookie/js.cookie.js"></script>
    <script src="/webjars/jquery/jquery.min.js"></script>

    <meta name="_csrf" th:content="${_csrf.token}"/>
    <meta name="_csrf_header" th:content="${_csrf.headerName}"/>
    <meta name="_csrf_parameter_name" th:content="${_csrf.parameterName}"/>
</head
.....

到本页我附上了以下js:

function connect() {
    var socket = new SockJS('/gs-guide-websocket');
    stompClient = Stomp.over(socket);

    var token = $("meta[name='_csrf']").attr("content");
    var paramName = $("meta[name='_csrf_parameter_name']").attr("content");
    var csrfHeader = $("meta[name='_csrf_header']").attr("content");

    //$('<input>').attr('type', 'hidden').attr('name', csrfHeader).attr('value', token).appendTo('#login-form');
    var headers = {};
    headers[csrfHeader] = token;

    stompClient.connect(headers, function (frame) {...));

}

工作正常。我看到它将csrf令牌发送到服务器。

当我阅读spring tutorial时,我在新的春天找到了有趣的功能:

如果要在页面上添加<script type="text/javascript" src="/webjars/js-cookie/js.cookie.js"></script>,您可以使用以下行检索令牌:

Cookies.get('XSRF-TOKEN')

它包含在依赖项中:

compile("org.webjars:js-cookie:2.1.0")

所以我添加了它并编写了以下代码:

function connect() {
    var socket = new SockJS('/gs-guide-websocket');
    stompClient = Stomp.over(socket);

    var headers = {};
    headers["X-XSRF-TOKEN"] = Cookies.get('XSRF-TOKEN');

    stompClient.connect(headers, function (frame) {...));

}

浏览器控制台:

Opening Web Socket...
stomp.min.js:8 Web Socket Opened...
stomp.min.js:8 >>> CONNECT
X-XSRF-TOKEN:undefined
accept-version:1.1,1.0
heart-beat:10000,10000

<<< ERROR
message:Failed to send message to ExecutorSubscribableChannel[clientInboundChannel]; nested exception is org.springframework.security.web.csrf.InvalidCsrfTokenException\c Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
content-length:0

的build.gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath("org.springframework.boot:spring-boot-gradle-plugin:2.0.1.RELEASE")
    }
}

apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'

jar {
    baseName = 'gs-messaging-stomp-websocket'
    version = '0.1.0'
}
sourceCompatibility = 1.8
targetCompatibility = 1.8

repositories {
    mavenCentral()
}

dependencies {
    compile("org.springframework.boot:spring-boot-starter-websocket")
    compile("org.webjars:webjars-locator-core")
    compile("org.webjars:sockjs-client:1.0.2")
    compile("org.webjars:stomp-websocket:2.3.3")
    compile("org.webjars:bootstrap:3.3.7")
    compile("org.webjars:jquery:3.1.0")
    compile("org.webjars:js-cookie:2.1.0")
    compile('org.thymeleaf:thymeleaf-spring5');

    compile("org.springframework.boot:spring-boot-starter-actuator")
    //security
    compile ('org.springframework.security:spring-security-messaging')
    compile group: 'org.springframework.security', name: 'spring-security-web'
    compile group: 'org.springframework.security', name: 'spring-security-config'

    testCompile("org.springframework.boot:spring-boot-starter-test")
}

为什么这不能正常工作?

1 个答案:

答案 0 :(得分:0)

如果Cookie为JavaScript或Cookie属于不同的域或上下文路径,则不允许

HttpOnly读取Cookie。

确保已使用CookieCsrfTokenRepository.withHttpOnlyFalse()

创建了csrfTokenRepository bean
相关问题
最新问题