为什么没有为我的请求生成 CSRF cookie?
Why no CSRF cookie is generated for my request?
我正在尝试激活 Spring 中的 CSRF cookie。所以我有以下 class:
SecurityAdapter.java
@Configuration
@EnableWebSecurity
public class SecurityAdapter extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http)
throws Exception
{
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}
由于我正在尝试实现 REST Web 服务(没有 HTML 或其他任何东西),我相信对服务器的第一个请求应该是 GET 请求,因为其他请求类型将需要 XSRF-TOKEN 我们还没有。
所以当我发送 GET 请求时,我希望收到一些 cookie 作为响应(毕竟我是个好孩子!)。但是我什么都没有。
这是其余的项目文件:
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.4.2.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
DemoApplication.java
package com.example;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class DemoApplication
{
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
Controller.Java
package com.example;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class Controller
{
@RequestMapping(value = "/first", method = RequestMethod.GET)
public ResponseEntity get()
{
return ResponseEntity.ok("first");
}
@RequestMapping(value = "/second", method = RequestMethod.POST)
public ResponseEntity post()
{
return ResponseEntity.ok("second");
}
}
当我调用 second 方法时(当然是在 POST 方法中),我得到:
{
"timestamp": 1481500256460,
"status": 403,
"error": "Forbidden",
"message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
"path": "/second"
}
但是当我在调用 GET 时获取 first 方法时,我没有得到任何 cookie 来使用并调用 second 方法!
我错过了什么?
我测试了你的代码,我在 cookie 中得到 csrf 令牌。我在 Chrome 浏览器中验证了 GET 方法并检查了 cookies 选项卡。存在由服务返回的 XSRF-TOKEN。为了打印服务返回的 csrf 令牌,我修改了 Controller 中的 first 方法,如下所示。请测试一下。
@RequestMapping(value = "/first", method = RequestMethod.GET)
public ResponseEntity get(HttpServletRequest request)
{
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
System.out.println(token.getHeaderName()+" = "+token.getToken());
return ResponseEntity.ok("first");
}
还有一件事。当您使用 Spring 引导时,您应该使用 spring-boot-starter-security,而不是单独的 Spring 安全依赖项。 pom.xml 中的依赖项应该如下所示。
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
我正在尝试激活 Spring 中的 CSRF cookie。所以我有以下 class:
SecurityAdapter.java
@Configuration
@EnableWebSecurity
public class SecurityAdapter extends WebSecurityConfigurerAdapter
{
@Override
protected void configure(HttpSecurity http)
throws Exception
{
http
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}
由于我正在尝试实现 REST Web 服务(没有 HTML 或其他任何东西),我相信对服务器的第一个请求应该是 GET 请求,因为其他请求类型将需要 XSRF-TOKEN 我们还没有。
所以当我发送 GET 请求时,我希望收到一些 cookie 作为响应(毕竟我是个好孩子!)。但是我什么都没有。
这是其余的项目文件:
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.4.2.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
DemoApplication.java
package com.example;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class DemoApplication
{
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
}
Controller.Java
package com.example;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
@RestController
public class Controller
{
@RequestMapping(value = "/first", method = RequestMethod.GET)
public ResponseEntity get()
{
return ResponseEntity.ok("first");
}
@RequestMapping(value = "/second", method = RequestMethod.POST)
public ResponseEntity post()
{
return ResponseEntity.ok("second");
}
}
当我调用 second 方法时(当然是在 POST 方法中),我得到:
{
"timestamp": 1481500256460,
"status": 403,
"error": "Forbidden",
"message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
"path": "/second"
}
但是当我在调用 GET 时获取 first 方法时,我没有得到任何 cookie 来使用并调用 second 方法!
我错过了什么?
我测试了你的代码,我在 cookie 中得到 csrf 令牌。我在 Chrome 浏览器中验证了 GET 方法并检查了 cookies 选项卡。存在由服务返回的 XSRF-TOKEN。为了打印服务返回的 csrf 令牌,我修改了 Controller 中的 first 方法,如下所示。请测试一下。
@RequestMapping(value = "/first", method = RequestMethod.GET)
public ResponseEntity get(HttpServletRequest request)
{
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
System.out.println(token.getHeaderName()+" = "+token.getToken());
return ResponseEntity.ok("first");
}
还有一件事。当您使用 Spring 引导时,您应该使用 spring-boot-starter-security,而不是单独的 Spring 安全依赖项。 pom.xml 中的依赖项应该如下所示。
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>