1. 首页
  2. 问答
  3. HTTP状态403 - 请求参数中发现无效的CSRF令牌'null'

HTTP状态403 - 请求参数中发现无效的CSRF令牌'null'

2015-08-13 32 views
5

我必须为我的宁静服务发出HTTP.Post(Android应用程序),才能注册新用户!HTTP状态403 - 请求参数中发现无效的CSRF令牌'null'

问题是,当我尝试向注册端点(没有安全性)发出请求时,Spring一直阻止我!

我的项目依赖

<properties> 
    <java-version>1.6</java-version> 
    <org.springframework-version>4.1.7.RELEASE</org.springframework-version> 
    <org.aspectj-version>1.6.10</org.aspectj-version> 
    <org.slf4j-version>1.6.6</org.slf4j-version> 
    <jackson.version>1.9.10</jackson.version> 
    <spring.security.version>4.0.2.RELEASE</spring.security.version> 
    <hibernate.version>4.2.11.Final</hibernate.version> 
    <jstl.version>1.2</jstl.version> 
    <mysql.connector.version>5.1.30</mysql.connector.version> 
</properties>

春季安全

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security.xsd"> 

<!--this is the register endpoint--> 
<http security="none" pattern="/webapi/cadastro**"/> 


    <http auto-config="true" use-expressions="true"> 
       <intercept-url pattern="/webapi/dados**" 
      access="hasAnyRole('ROLE_USER','ROLE_SYS')" /> 
     <intercept-url pattern="/webapi/system**" 
      access="hasRole('ROLE_SYS')" /> 

<!--  <access-denied-handler error-page="/negado" /> --> 
     <form-login login-page="/home/" default-target-url="/webapi/" 
      authentication-failure-url="/home?error" username-parameter="username" 
      password-parameter="password" /> 
     <logout logout-success-url="/home?logout" />   
     <csrf token-repository-ref="csrfTokenRepository" /> 
    </http> 

    <authentication-manager> 
     <authentication-provider> 
      <password-encoder hash="md5" /> 
      <jdbc-user-service data-source-ref="dataSource" 
       users-by-username-query="SELECT username, password, ativo 
        FROM usuarios 
        WHERE username = ?" 
       authorities-by-username-query="SELECT u.username, r.role 
        FROM usuarios_roles r, usuarios u 
        WHERE u.id = r.usuario_id 
        AND u.username = ?" /> 
     </authentication-provider> 
    </authentication-manager> 

    <beans:bean id="csrfTokenRepository" 
     class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"> 
     <beans:property name="headerName" value="X-XSRF-TOKEN" /> 
    </beans:bean> 

</beans:beans>

控制器

@RestController 
@RequestMapping(value="/webapi/cadastro", produces="application/json") 
public class CadastroController { 
    @Autowired 
    UsuarioService usuarioService; 

    Usuario u = new Usuario(); 

    @RequestMapping(value="/novo",method=RequestMethod.POST) 
    public String register() { 
     // this.usuarioService.insert(usuario); 
     // usuario.setPassword(HashMD5.criptar(usuario.getPassword())); 
     return "teste"; 
    } 
}

JS邮政(角)

$http.post('/webapi/cadastro/novo').success(function(data) { 
      alert('ok'); 
     }).error(function(data) { 
      alert(data); 
     });

和错误

HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'

--- ---解决

实现的滤波器,以我的X-XSRF-TOKEN重视每一个请求头

public class CsrfHeaderFilter extends OncePerRequestFilter { 
    @Override 
    protected void doFilterInternal(HttpServletRequest request, 
     HttpServletResponse response, FilterChain filterChain) 
     throws ServletException, IOException { 
    CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class 
     .getName()); 
    if (csrf != null) { 
     Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN"); 
     String token = csrf.getToken(); 
     if (cookie==null || token!=null && !token.equals(cookie.getValue())) { 
     cookie = new Cookie("XSRF-TOKEN", token); 
     cookie.setPath("/"); 
     response.addCookie(cookie); 
     } 
    } 
    filterChain.doFilter(request, response); 
    } 
}

增加了一个映射将此过滤器设置为web.xml并完成!

来源

2015-08-13 Lucas Freitas

回答

11

在上面的代码中,我看不到将CSRF标记传递给客户端的东西(如果使用JSP等,这是自动的)。

一个流行的做法是编写一个过滤器,将CSRF标记附加为cookie。您的客户端首先发送一个GET请求来获取该cookie。对于随后的请求,该cookie随后会作为标题发回。

鉴于官方Spring Angular guide详细解释它,您可以参考Spring Lemon作为一个完整的工作示例。

要将cookie作为标题发回,可能需要编写一些代码。 AngularJS在默认情况下会这样做(除非您发送跨域请求),但这里是一个示例,如果它有助于防止您的客户端:

angular.module('appBoot') 
    .factory('XSRFInterceptor', function ($cookies, $log) { 

    var XSRFInterceptor = { 

     request: function(config) { 

     var token = $cookies.get('XSRF-TOKEN'); 

     if (token) { 
      config.headers['X-XSRF-TOKEN'] = token; 
      $log.info("X-XSRF-TOKEN: " + token); 
     } 

     return config; 
     } 
    }; 
    return XSRFInterceptor; 
    }); 

angular.module('appBoot', ['ngCookies', 'ngMessages', 'ui.bootstrap', 'vcRecaptcha']) 
    .config(['$httpProvider', function ($httpProvider) { 

     $httpProvider.defaults.withCredentials = true; 
     $httpProvider.interceptors.push('XSRFInterceptor'); 

    }]);

来源

2015-08-13 02:51:01 Sanjay

相关问题

 相关问题