_csrf 令牌是 spring 3.2.8

_csrf token is spring 3.2.8

我想保护我的应用程序免受 CSRF 攻击,所以我将此添加到我的 applicationContext.xml:

<security:global-method-security secured-annotations="enabled" />

        <security:http auto-config="true">
            <security:csrf/>    
            <security:intercept-url pattern="/**" access="permitAll"    />
        </security:http>

<security:authentication-manager/>  

这是我的 web.xml

<!-- spring security csrf -->
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>fr.telecom.support.context.DevicesSecurityFilter</filter-class>
        </filter>    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>

这是我的过滤器

public class DevicesSecurityFilter extends DelegatingFilterProxy {

    public DevicesSecurityFilter() {
        // TODO Auto-generated constructor stub
    }

    public DevicesSecurityFilter(Filter delegate) {
        super(delegate);
    }

    public DevicesSecurityFilter(String targetBeanName) {
        super(targetBeanName);
    }

    public DevicesSecurityFilter(String targetBeanName,
            WebApplicationContext wac) {
        super(targetBeanName, wac);
    }

    public void doFilter(ServletRequest request,
                         ServletResponse response,
                         FilterChain filterChain) throws ServletException, IOException {


        HttpServletRequest httpServletRequest;
        ThreadContext threadContext;

        if (request instanceof HttpServletRequest) {
            httpServletRequest = (HttpServletRequest) request;
            threadContext = ThreadContext.getInstance();

            try {
                EcasUser ecasUser = (EcasUser) httpServletRequest.getUserPrincipal();
                if (ecasUser != null) {
                    threadContext.setDomainUsername(ecasUser.getDomainUsername());
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
            threadContext.setUserID(httpServletRequest.getRemoteUser());
        }

        System.out.println ("filterChain -> " + filterChain );  

        if (filterChain != null) {

            filterChain.doFilter(request, response);

        }
    }

并在 JSP 中添加了

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 

但是当我 运行 程序和 ckech JSP 这就是我发现的!并且没有抛出异常!

<input type="hidden" name="" value=""/> 

我想应该会出现这样的东西:

<input type="hidden" name="_csrf" value="8d0bf854-83a1-4fbf-a792-390a84ecf545"/>

首先,我想说扩展 DelegatingFilterProxy 不是一个好主意。

问题是永远不会调用委托。

一个可能的快速修复方法是将 filterChain.doFilter 替换为:

super.doFilter(request, response, filterChain);