_csrf 令牌是 spring 3.2.8
_csrf token is spring 3.2.8
我想保护我的应用程序免受 CSRF 攻击,所以我将此添加到我的 applicationContext.xml:
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:csrf/>
<security:intercept-url pattern="/**" access="permitAll" />
</security:http>
<security:authentication-manager/>
这是我的 web.xml
<!-- spring security csrf -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>fr.telecom.support.context.DevicesSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这是我的过滤器
public class DevicesSecurityFilter extends DelegatingFilterProxy {
public DevicesSecurityFilter() {
// TODO Auto-generated constructor stub
}
public DevicesSecurityFilter(Filter delegate) {
super(delegate);
}
public DevicesSecurityFilter(String targetBeanName) {
super(targetBeanName);
}
public DevicesSecurityFilter(String targetBeanName,
WebApplicationContext wac) {
super(targetBeanName, wac);
}
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
HttpServletRequest httpServletRequest;
ThreadContext threadContext;
if (request instanceof HttpServletRequest) {
httpServletRequest = (HttpServletRequest) request;
threadContext = ThreadContext.getInstance();
try {
EcasUser ecasUser = (EcasUser) httpServletRequest.getUserPrincipal();
if (ecasUser != null) {
threadContext.setDomainUsername(ecasUser.getDomainUsername());
}
} catch (Exception e) {
e.printStackTrace();
}
threadContext.setUserID(httpServletRequest.getRemoteUser());
}
System.out.println ("filterChain -> " + filterChain );
if (filterChain != null) {
filterChain.doFilter(request, response);
}
}
并在 JSP 中添加了
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
但是当我 运行 程序和 ckech JSP 这就是我发现的!并且没有抛出异常!
<input type="hidden" name="" value=""/>
我想应该会出现这样的东西:
<input type="hidden" name="_csrf" value="8d0bf854-83a1-4fbf-a792-390a84ecf545"/>
首先,我想说扩展 DelegatingFilterProxy 不是一个好主意。
问题是永远不会调用委托。
一个可能的快速修复方法是将 filterChain.doFilter 替换为:
super.doFilter(request, response, filterChain);
我想保护我的应用程序免受 CSRF 攻击,所以我将此添加到我的 applicationContext.xml:
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:csrf/>
<security:intercept-url pattern="/**" access="permitAll" />
</security:http>
<security:authentication-manager/>
这是我的 web.xml
<!-- spring security csrf -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>fr.telecom.support.context.DevicesSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这是我的过滤器
public class DevicesSecurityFilter extends DelegatingFilterProxy {
public DevicesSecurityFilter() {
// TODO Auto-generated constructor stub
}
public DevicesSecurityFilter(Filter delegate) {
super(delegate);
}
public DevicesSecurityFilter(String targetBeanName) {
super(targetBeanName);
}
public DevicesSecurityFilter(String targetBeanName,
WebApplicationContext wac) {
super(targetBeanName, wac);
}
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
HttpServletRequest httpServletRequest;
ThreadContext threadContext;
if (request instanceof HttpServletRequest) {
httpServletRequest = (HttpServletRequest) request;
threadContext = ThreadContext.getInstance();
try {
EcasUser ecasUser = (EcasUser) httpServletRequest.getUserPrincipal();
if (ecasUser != null) {
threadContext.setDomainUsername(ecasUser.getDomainUsername());
}
} catch (Exception e) {
e.printStackTrace();
}
threadContext.setUserID(httpServletRequest.getRemoteUser());
}
System.out.println ("filterChain -> " + filterChain );
if (filterChain != null) {
filterChain.doFilter(request, response);
}
}
并在 JSP 中添加了
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
但是当我 运行 程序和 ckech JSP 这就是我发现的!并且没有抛出异常!
<input type="hidden" name="" value=""/>
我想应该会出现这样的东西:
<input type="hidden" name="_csrf" value="8d0bf854-83a1-4fbf-a792-390a84ecf545"/>
首先,我想说扩展 DelegatingFilterProxy 不是一个好主意。
问题是永远不会调用委托。
一个可能的快速修复方法是将 filterChain.doFilter 替换为:
super.doFilter(request, response, filterChain);