Redis spring 会话中的 CSRF 令牌
CSRF token in redis spring session
我正在尝试根据需要在 spring 会话 redis 中添加 CSRF 令牌到 运行 集群中的 webapp。
两者都需要解决方案 Spring Java config/xml(旧版本)
并且我已经在会话部分使用RedisHttpSessionConfiguration(在第一阶段实现)
我的 WebSecurityConfig 是
package com.groupon.website.config;
import javax.servlet.FilterRegistration;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private Logger logger = LogManager.getLogger(WebSecurityConfig.class);
@Autowired
@Qualifier("csrfSecurityRequestMatcher")
RequestMatcher csrfSecurityRequestMatcher;
@Autowired
@Qualifier("redisCsrfTokenRepository")
private CsrfTokenRepository redisCsrfTokenRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Inside WebSecurityConfig");
//403 issue
http.headers().xssProtection().and().csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher)
.csrfTokenRepository(redisCsrfTokenRepository)
;
}
}
CsrfTokenRepository 是 RedisCsrfTokenRepository
package com.groupon.website.config;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import org.springframework.session.ExpiringSession;
import org.springframework.session.data.redis.RedisOperationsSessionRepository;
import org.springframework.stereotype.Component;
import org.springframework.util.SerializationUtils;
import redis.clients.jedis.Jedis;
@Component
public class RedisCsrfTokenRepository implements CsrfTokenRepository,InitializingBean {
private static final Logger log = LoggerFactory.getLogger(RedisCsrfTokenRepository.class);
public static final String CSRF_PARAMETER_NAME = "_csrf";
public static final String CSRF_HEADER_NAME = "X-CSRF-TOKEN";
@Value("${redis.host.name}")
private String redisHostName;
@Value("${redis.port}")
private int redisPort;
private Jedis tokenRepository;
@Autowired
private JedisConnectionFactory jedisConnectionFactory;
//@Autowired
//private RedisOperationsSessionRepository sessionRepository;
public RedisCsrfTokenRepository() {
log.info("Creating {}", RedisCsrfTokenRepository.class.getSimpleName());
}
@Override
public CsrfToken generateToken(HttpServletRequest request) {
return new DefaultCsrfToken(CSRF_HEADER_NAME, CSRF_PARAMETER_NAME, createNewToken());
}
@Override
public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
String key = getKey(request);
if (key == null)
return;
if (token == null) {
//Use connection factory
//tokenRepository.del(key.getBytes());
jedisConnectionFactory.getConnection().del(key.getBytes());
} else {
//Use connection factory
//tokenRepository.set(key.getBytes(), SerializationUtils.serialize(token));
jedisConnectionFactory.getConnection().set(key.getBytes(), SerializationUtils.serialize(token));
}
}
@Override
public CsrfToken loadToken(HttpServletRequest request) {
String key = getKey(request);
if (key != null) {
//Use connection factory
//byte[] tokenString = tokenRepository.get(key.getBytes());
byte[] tokenString = jedisConnectionFactory.getConnection().get(key.getBytes());
if (tokenString != null) {
return (CsrfToken) SerializationUtils.deserialize(tokenString);
}
}
return null;
}
private String getKey(HttpServletRequest request) {
//getKey going to be changed
HttpSession session = request.getSession(false);
//RedisOperationsSessionRepository sessionRepository = new RedisOperationsSessionRepository(redisConnectionFactory)
//ExpiringSession session = sessionRepository.getSession(request.getSession().getId());
if (session == null) {
return null;
}
String result = session.getId()+CSRF_PARAMETER_NAME;
//String result = request.getHeader("X-CSRF-TOKEN");
return result;
}
private String createNewToken() {
return UUID.randomUUID().toString();
}
@Override
public void afterPropertiesSet() throws Exception {
tokenRepository = new Jedis(redisHostName, redisPort, 30000);
}
}
(未使用tokenRpository,我只是原样复制粘贴代码,但正在使用jedisConnectionFatcory)
我仍然间歇性地收到 403,表明未获取 CSRF 令牌。
只显示了 java 配置。有人可以帮我吗。
我们已经通过更改我们的 RedisCsrfTokenRepository 来获取密钥而不是
来解决它
HttpSession session = request.getSession(false);
我们正在使用
Cookie sessionCookies = WebUtil.getCookie (request, WebAppConstants.SESSION);
if (sessionCookies == null || sessionCookies.getValue() == null) {
return null;
}
String sessionId = sessionCookies.getValue();
因为我们使用的是有效的 cookie。
在管道中,更改 defaultSessionFilter 以便不需要此更改。
我正在尝试根据需要在 spring 会话 redis 中添加 CSRF 令牌到 运行 集群中的 webapp。
两者都需要解决方案 Spring Java config/xml(旧版本)
并且我已经在会话部分使用RedisHttpSessionConfiguration(在第一阶段实现)
我的 WebSecurityConfig 是
package com.groupon.website.config;
import javax.servlet.FilterRegistration;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private Logger logger = LogManager.getLogger(WebSecurityConfig.class);
@Autowired
@Qualifier("csrfSecurityRequestMatcher")
RequestMatcher csrfSecurityRequestMatcher;
@Autowired
@Qualifier("redisCsrfTokenRepository")
private CsrfTokenRepository redisCsrfTokenRepository;
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Inside WebSecurityConfig");
//403 issue
http.headers().xssProtection().and().csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher)
.csrfTokenRepository(redisCsrfTokenRepository)
;
}
}
CsrfTokenRepository 是 RedisCsrfTokenRepository
package com.groupon.website.config;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import org.springframework.session.ExpiringSession;
import org.springframework.session.data.redis.RedisOperationsSessionRepository;
import org.springframework.stereotype.Component;
import org.springframework.util.SerializationUtils;
import redis.clients.jedis.Jedis;
@Component
public class RedisCsrfTokenRepository implements CsrfTokenRepository,InitializingBean {
private static final Logger log = LoggerFactory.getLogger(RedisCsrfTokenRepository.class);
public static final String CSRF_PARAMETER_NAME = "_csrf";
public static final String CSRF_HEADER_NAME = "X-CSRF-TOKEN";
@Value("${redis.host.name}")
private String redisHostName;
@Value("${redis.port}")
private int redisPort;
private Jedis tokenRepository;
@Autowired
private JedisConnectionFactory jedisConnectionFactory;
//@Autowired
//private RedisOperationsSessionRepository sessionRepository;
public RedisCsrfTokenRepository() {
log.info("Creating {}", RedisCsrfTokenRepository.class.getSimpleName());
}
@Override
public CsrfToken generateToken(HttpServletRequest request) {
return new DefaultCsrfToken(CSRF_HEADER_NAME, CSRF_PARAMETER_NAME, createNewToken());
}
@Override
public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
String key = getKey(request);
if (key == null)
return;
if (token == null) {
//Use connection factory
//tokenRepository.del(key.getBytes());
jedisConnectionFactory.getConnection().del(key.getBytes());
} else {
//Use connection factory
//tokenRepository.set(key.getBytes(), SerializationUtils.serialize(token));
jedisConnectionFactory.getConnection().set(key.getBytes(), SerializationUtils.serialize(token));
}
}
@Override
public CsrfToken loadToken(HttpServletRequest request) {
String key = getKey(request);
if (key != null) {
//Use connection factory
//byte[] tokenString = tokenRepository.get(key.getBytes());
byte[] tokenString = jedisConnectionFactory.getConnection().get(key.getBytes());
if (tokenString != null) {
return (CsrfToken) SerializationUtils.deserialize(tokenString);
}
}
return null;
}
private String getKey(HttpServletRequest request) {
//getKey going to be changed
HttpSession session = request.getSession(false);
//RedisOperationsSessionRepository sessionRepository = new RedisOperationsSessionRepository(redisConnectionFactory)
//ExpiringSession session = sessionRepository.getSession(request.getSession().getId());
if (session == null) {
return null;
}
String result = session.getId()+CSRF_PARAMETER_NAME;
//String result = request.getHeader("X-CSRF-TOKEN");
return result;
}
private String createNewToken() {
return UUID.randomUUID().toString();
}
@Override
public void afterPropertiesSet() throws Exception {
tokenRepository = new Jedis(redisHostName, redisPort, 30000);
}
}
(未使用tokenRpository,我只是原样复制粘贴代码,但正在使用jedisConnectionFatcory)
我仍然间歇性地收到 403,表明未获取 CSRF 令牌。
只显示了 java 配置。有人可以帮我吗。
我们已经通过更改我们的 RedisCsrfTokenRepository 来获取密钥而不是
来解决它HttpSession session = request.getSession(false);
我们正在使用
Cookie sessionCookies = WebUtil.getCookie (request, WebAppConstants.SESSION);
if (sessionCookies == null || sessionCookies.getValue() == null) {
return null;
}
String sessionId = sessionCookies.getValue();
因为我们使用的是有效的 cookie。
在管道中,更改 defaultSessionFilter 以便不需要此更改。