我正在尝试通过参考以下链接在我的项目中实现Spring Security(3.2.3版)CSRFtoken
http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#csrf http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag
我能够在没有AJAX调用的情况下成功地将CSRF令牌集成到JSP中。但是当我尝试JSPAJAX调用时,得到了“无效CSRF令牌异常”。经过我的分析,我发现这两个AJAX调用
请任何人帮助我突袭这个问题。有没有办法生成两个令牌,即一个用于AJAX调用
xml
<access-denied-handler ref="accessDenied" />
<intercept-url pattern="/**" access="ROLE_1" />
<form-login default-target-url='/loginUser.htm' always-use-default-target='true' authentication-failure-url='/forms/common/login.jsp?error=true' />
<logout logout-success-url="/forms/common/logout.jsp" invalidate-session="true" delete-cookies="JSESSIONID" />
<session-management invalid-session-url="/forms/common/sessionexpired.jsp" session-authentication-error-url="/forms/common/login.jsp?Error=alreadyLoggedin" >
<concurrency-control expired-url="/forms/common/sessionexpired.jsp" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
</http>
<beans:bean class="com.concerto.pg.login.security.CsrfSecurityRequestMatcher" id="csrfSecurityRequestMatcher"/>
JSP
<head>
<sec:csrfMetaTags />
<script type="text/javascript" charset="utf-8">
function changeList(id,option){
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
var institution = document.getElementById("institutionId").value;
var data = {};
data[csrfParameter] = csrfToken;
data["institutionId"] = option;
if(id=="institutionId"){
var result ='';
$.ajax({
type: "GET",
async: false,
url: './getMerchantByInstitution.htm',
data: data,//"institutionId=" + option,
dataType:'json',
success: function (res) {
result = res;
var htmlVar = '';
for (var i=0; i<result.length; i++){
htmlVar += '<option
value="'+result[i]+'">'+result[i]+'</option>';
}
htmlVar += '<option value="ALL">ALL</option>';
$('#merchantId').html(htmlVar);
}
});
}
}
</script>
</head>
added below < input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> statement in form tag 谢啦
要在启用CSRF的情况下发出AJAX/JSON请求,您必须将CSRF令牌作为HTTP请求标头传递,而不是参数或其他数据。
在页面上,您的元标记应如下所示:
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
然后,在JS代码中的某处准备值:
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
将CSRF令牌作为标头传递:
$.ajax({
type: "GET",
async: false,
url: './getMerchantByInstitution.htm',
data: "institutionId=" + option,
beforeSend: function(xhr) {
// here it is
xhr.setRequestHeader(header, token);
},
success: function(obj) {
// ....
},
....
虽然这完全取决于您,但我建议使用JSON. stringify之类的东西来传递数据,但这当然取决于。
参考在这里:
http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html#csrf-include-csrf-token-ajax
希望这有帮助。
我希望下面的答案有所帮助。进行这些更改
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content"); // THIS WAS ADDED
和之后
data[csrfParameter] = csrfToken;
data["institutionId"] = option;
headers[csrfHeader] = csrfToken; // THIS WAS ADDED
ajax调用的最后变化:
url: './getMerchantByInstitution.htm',
headers: headers, // THIS WAS ADDED
data: data,//"institutionId=" + option,
dataType:'json',
让我知道这是否有效。
这为我解决了我的问题:
<meta name="_csrf" th:content="${_csrf.token}"/>
<meta name="_csrf_header" th:content="${_csrf.headerName}"/>
使用org. thymeleaf.额外的:thymeleaf-springsecurity4:3.0.2。释放
