在服务器中启用 csrf 保护时 httpinvoker 不工作
httpinvoker not working when csrf protection is enabled in server
我有两个 spring Web 应用程序受 spring 安全保护。这两个应用程序通过 spring httpInovoker 相互通信。访问控制工作正常。但是,当我在 <http auto-config="true"> 标签 httpinvoker return 403 status 下启用 spring 安全性中的 <csrf/> 时。堆栈跟踪在下面给出。但是同样的代码在没有csrf保护的情况下是运行成功的。请帮助
org.springframework.remoting.RemoteAccessException: Could not access HTTP invoker remote service at [http://172.28.1.162:6060/ReporterRepository/ExposedLinkService.http]; nested exception is java.io.IOException: Did not receive successful HTTP response: status code = 403, status message = [Forbidden]
Spring安全xml:
<http auto-config="true">
<intercept-url pattern="/home**" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/admin**" access="ROLE_ADMIN" />
<form-login
login-page="/loginuser"
default-target-url="/home"
authentication-failure-url="/loginuser?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/loginuser?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager erase-credentials="false">
<authentication-provider user-service-ref="myUserDetailsService" >
</authentication-provider>
</authentication-manager>
调用代码:
HttpInvokerProxyFactoryBean HttpinvokerFactory = new HttpInvokerProxyFactoryBean();
HttpinvokerFactory.setServiceInterface(ExposedLinkServiceInterface.class);
HttpinvokerFactory.setServiceUrl(ServiceUrl);
HttpinvokerFactory.setHttpInvokerRequestExecutor(( HttpInvokerRequestExecutor)ServerFramework.getInstance().getBean("httpInvokerRequestExecutor"));//Return the bean httpInvokerRequestExecutor
HttpinvokerFactory.afterPropertiesSet();
ExposedLinkServiceInterface exposedservice = (ExposedLinkServiceInterface) HttpinvokerFactory.getObject();
List AvailabaleLinks= exposedservice.retrieveAllLinks();
我认为这里的关键是为 HttpInvoker 创建一个单独的配置 URL(s):
<http pattern="/your-httpinvoker-path" create-session="stateless">
<!-- security for httpinvoker without csrf protection -->
</http>
<http auto-config="true">
<!-- same as before -->
</http>
我有两个 spring Web 应用程序受 spring 安全保护。这两个应用程序通过 spring httpInovoker 相互通信。访问控制工作正常。但是,当我在 <http auto-config="true"> 标签 httpinvoker return 403 status 下启用 spring 安全性中的 <csrf/> 时。堆栈跟踪在下面给出。但是同样的代码在没有csrf保护的情况下是运行成功的。请帮助
org.springframework.remoting.RemoteAccessException: Could not access HTTP invoker remote service at [http://172.28.1.162:6060/ReporterRepository/ExposedLinkService.http]; nested exception is java.io.IOException: Did not receive successful HTTP response: status code = 403, status message = [Forbidden]
Spring安全xml:
<http auto-config="true">
<intercept-url pattern="/home**" access="ROLE_ADMIN,ROLE_USER" />
<intercept-url pattern="/admin**" access="ROLE_ADMIN" />
<form-login
login-page="/loginuser"
default-target-url="/home"
authentication-failure-url="/loginuser?error"
username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/loginuser?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<authentication-manager erase-credentials="false">
<authentication-provider user-service-ref="myUserDetailsService" >
</authentication-provider>
</authentication-manager>
调用代码:
HttpInvokerProxyFactoryBean HttpinvokerFactory = new HttpInvokerProxyFactoryBean();
HttpinvokerFactory.setServiceInterface(ExposedLinkServiceInterface.class);
HttpinvokerFactory.setServiceUrl(ServiceUrl);
HttpinvokerFactory.setHttpInvokerRequestExecutor(( HttpInvokerRequestExecutor)ServerFramework.getInstance().getBean("httpInvokerRequestExecutor"));//Return the bean httpInvokerRequestExecutor
HttpinvokerFactory.afterPropertiesSet();
ExposedLinkServiceInterface exposedservice = (ExposedLinkServiceInterface) HttpinvokerFactory.getObject();
List AvailabaleLinks= exposedservice.retrieveAllLinks();
我认为这里的关键是为 HttpInvoker 创建一个单独的配置 URL(s):
<http pattern="/your-httpinvoker-path" create-session="stateless">
<!-- security for httpinvoker without csrf protection -->
</http>
<http auto-config="true">
<!-- same as before -->
</http>