笔记簿
ᴄᴏᴅɪɴɢ ɪs ᴀʀᴛ
首页
关于
搜索
登录
注册
springboot安全问题之CSRF - springboot security CSRF问题
#### springboot security CSRF问题 ```html <meta name="_csrf" th:attr="content=${_csrf.token}" /> <meta name="_csrf_header" th:attr="content=${_csrf.headerName}" /> ``` 1. 表单提交,添加隐藏域 ```html <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> <input type="hidden" th:attr="name=${_csrf.parameterName}" th:value="${_csrf.token}"/> ``` 2. Ajax提交,添加参数 ```javascript data:{ "${_csrf.parameterName}" : "${_csrf.token}" } ``` ```java org.springframework.security.web.csrf.CsrfFilter @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { request.setAttribute(HttpServletResponse.class.getName(), response); CsrfToken csrfToken = this.tokenRepository.loadToken(request); final boolean missingToken = csrfToken == null; //如果token为空,说明第一次访问,生成一个token对象 if (missingToken) { csrfToken = this.tokenRepository.generateToken(request); this.tokenRepository.saveToken(csrfToken, request, response); } request.setAttribute(CsrfToken.class.getName(), csrfToken); //把token对象放到request中,注意这里key是csrfToken.getParameterName()= _csrf,所以我们页面上才那么写死。 request.setAttribute(csrfToken.getParameterName(), csrfToken); //这个macher就是我们在Spring配置文件中自定义的过滤器,也就是GET,HEAD, TRACE, OPTIONS和我们的rest都不处理 if (!this.requireCsrfProtectionMatcher.matches(request)) { filterChain.doFilter(request, response); return; } String actualToken = request.getHeader(csrfToken.getHeaderName()); if (actualToken == null) { actualToken = request.getParameter(csrfToken.getParameterName()); } if (!csrfToken.getToken().equals(actualToken)) { if (this.logger.isDebugEnabled()) { this.logger.debug("Invalid CSRF token found for " + UrlUtils.buildFullRequestUrl(request)); } if (missingToken) { this.accessDeniedHandler.handle(request, response, new MissingCsrfTokenException(actualToken)); } else { this.accessDeniedHandler.handle(request, response, new InvalidCsrfTokenException(csrfToken, actualToken)); } return; } filterChain.doFilter(request, response); } ``` ##### 采用Ajax提交 ```javascript <script type="text/javascript" th:inline="javascript"> //解决thymeleaf解析&字符抛异常 /*<![CDATA[*/ var token = $("meta[name='_csrf']").attr("content"); var header = $("meta[name='_csrf_header']").attr("content"); $.ajaxSetup({ beforeSend : function(xhr) { if (header && token) { xhr.setRequestHeader(header, token); } } }); /*]]>*/ </script> <script type="text/javascript"> $(function() { $("button:eq(0)").click(function() { $.ajax({ url : "manual/expired", type : "PUT", success : function(msg) { layer.msg("预处理债转",{icon: 1}); }, dataType : "json" }); }); }); </script> ``` ##### thymeleaf使用表单提交 thymeleaf使用`th:action`标识表单提交时,会自动生成`input`标签在`form`表单中 ```html <input type="hidden" name="_csrf" value="0d82d758-50ac-4977-b8c0-02089d88f760" /> ``` ```html <form th:action="@{manual/expired}" method="post"> <input type="hidden" name="_method" value="PUT"/> <button>提交</button> </form> ``` 配置类 ```java @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); } } ```