1. casa
  2. Domanda e risposta
  3. Stato HTTP 403 - Token CSRF previsto non trovato. La tua sessione è scaduta?

Stato HTTP 403 - Token CSRF previsto non trovato. La tua sessione è scaduta?

2015-12-15 7 views
6

Uso la sicurezza di primavera 4.0.1. Non appena effettuo il login, visualizza la mia dashboard. Quando clicco su qualcosa che mi dà la seguente pagina di errore:.Stato HTTP 403 - Token CSRF previsto non trovato. La tua sessione è scaduta?

HTTP Status 403 - Expected CSRF token not found. Has your session expired?

Ho fatto qualche ricerca su di esso e dice che ho bisogno di aggiungere questo http.csrf() disattivare(). Non sono in grado di aggiungerlo poiché mi dice che il metodo e non è definito per il tipo httpsecurity.

Di seguito riportiamo il codice di configurazione:

@Configuration 
@EnableWebSecurity 
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 


    @Autowired 
    @Qualifier("userDetailsServiceImpl") 
    UserDetailsService userDetailsService; 

    @Autowired 
    SuccessHandler successHandler; 

    @Autowired 
    FailureHandler failureHandler; 


    @Autowired 
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { 
    ShaPasswordEncoder encoder = new ShaPasswordEncoder(); 
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder); 
    } 

@Override 
protected void configure(HttpSecurity http) throws Exception { 

    http.authorizeRequests() 
    .antMatchers("/login.xhtml").permitAll() 
    .antMatchers("/pages/**").access("isAuthenticated()") 
    .antMatchers("/run**").access("isAuthenticated()") 
    .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml") 
    .successHandler(successHandler) 
    .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml") 
    .usernameParameter("username") 
    .passwordParameter("password") 
    .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true); 
    } 
}

Login.xhtml

<!DOCTYPE html> 
    <f:view> 
    <h:head> 
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> 
    </script><script src="js/jquery-1.js"></script> 
    <script src="js/adpacks-demo.js" type="text/javascript"></script> 
    <script src="js/bsa.js" type="text/javascript"></script> 

    </h:head> 
<h:body> 
    <form id="login" action='#{request.contextPath}/login' method='POST'> 
     <h1>Log In</h1> 
     <fieldset id="inputs"> 
      <input id="username" type="text" name="username" placeholder="Username" /> 
      <input id="password" type="password" name="password" placeholder="Password" /> 
     </fieldset> 
     <fieldset id="actions"> 
      <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> 
      <input id="submit" value="Log in" type="submit" /><a href="">Forgot your password?</a> 
     </fieldset> 
    </form> 
</h:body>

MyConfiguration.java

@Configuration 
    @EnableWebMvc 
    @ComponentScan(basePackages = "com.car") 
    public class MyConfiguration extends WebMvcConfigurerAdapter { 



@Bean(name="HelloWorld") 
public ViewResolver viewResolver() { 
    InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); 
    viewResolver.setViewClass(JstlView.class); 
    viewResolver.setPrefix("/web-inf"); 
    viewResolver.setSuffix(".xhtml"); 

    return viewResolver; 
} 

/* 
* Configure ResourceHandlers to serve static resources like CSS/ Javascript etc... 
*/ 
@Override 
public void addResourceHandlers(ResourceHandlerRegistry registry) { 
    registry.addResourceHandler("/webapp/**").addResourceLocations("/webapp/"); 
}

}

SecurityWebApplicationInitializer.java

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { 

    }

AppConfig.java

@Configuration 
    public class AppConfig { 
    @Bean 
    public SuccessHandler successHandler() { 
     return new SuccessHandler(); 
    } 

    @Bean 
    public FailureHandler failureHandler() { 
     return new FailureHandler(); 
    } 
    }

Web.xml

<?xml version="1.0" encoding="UTF-8"?> 
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> 


<context-param> 
     <param-name>javax.faces.DEFAULT_SUFFIX</param-name> 
     <param-value>.xhtml</param-value> 
</context-param> 

<context-param> 
    <param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name> 
    <param-value>false</param-value> 
</context-param> 

<welcome-file-list> 
    <welcome-file>login.xhtml</welcome-file> 
</welcome-file-list> 
<servlet> 
    <servlet-name>Faces Servlet</servlet-name> 
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>Faces Servlet</servlet-name> 
    <url-pattern>*.xhtml</url-pattern> 
</servlet-mapping> 

<context-param> 
     <param-name>com.sun.faces.expressionFactory</param-name> 
     <param-value>com.sun.el.ExpressionFactoryImpl</param-value> 
</context-param> 

<servlet> 
    <description>generated-servlet</description> 
    <servlet-name>CAR Servlet</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <init-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>classpath:CAR-web-context.xml</param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<listener> 
    <listener-class> 
     org.springframework.security.web.session.HttpSessionEventPublisher 
    </listener-class> 
</listener> 
<listener> 
    <listener-class> 
     org.springframework.web.context.request.RequestContextListener</listener-class> 
</listener> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 


<filter> 
    <description> 
     generated-spring-security-session-integration-filter 
    </description> 
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name> 
    <filter-class> 
     org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class> 
</filter> 
<filter> 
    <description>generated-persistence-filter</description> 
    <filter-name>CARFilter</filter-name> 
    <filter-class> 
     org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class> 
    <init-param> 
     <param-name>entityManagerFactoryBeanName</param-name> 
     <param-value>CAR</param-value> 
    </init-param> 
</filter> 
<filter> 
    <description>generated-sitemesh-filter</description> 
    <filter-name>Sitemesh Filter</filter-name> 
    <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class> 
</filter> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    <init-param> 
     <param-name>contextAttribute</param-name> 
     <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher‌​</param-value> 
    </init-param> 
</filter> 

<filter-mapping> 
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>HRBFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>Sitemesh Filter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<persistence-unit-ref> 
    <persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name> 
    <persistence-unit-name>CAR</persistence-unit-name> 
    </persistence-unit-ref> 

    <persistence-context-ref> 
    <persistence-context-ref-name>persistence/CAR</persistence-context-ref-name> 
    <persistence-unit-name>CAR</persistence-unit-name> 
</persistence-context-ref> 

</web-app>

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> 


<properties> 
    <spring.version>4.0.2.RELEASE</spring.version> 
    <spring.security.version>3.2.5.RELEASE</spring.security.version> 
</properties> 

<dependencies> 

    <dependency> 
     <groupId>org.springframework.security.oauth</groupId> 
     <artifactId>spring-security-oauth2</artifactId> 
     <version>2.0.7.RELEASE</version> 
    </dependency> 

    <dependency> 
     <groupId>junit</groupId> 
     <artifactId>junit</artifactId> 
     <version>3.8.1</version> 
     <scope>test</scope> 
    </dependency> 



    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-aspects</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-instrument</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-instrument-tomcat</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-tx</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-jms</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-oxm</artifactId> 
     <version>${spring.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>commons-lang</groupId> 
       <artifactId>commons-lang</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-web</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-webmvc-portlet</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-struts</artifactId> 
     <version>3.1.1.RELEASE</version> 
     <exclusions> 
      <exclusion> 
       <groupId>xalan</groupId> 
       <artifactId>xalan</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>oro</groupId> 
       <artifactId>oro</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>commons-digester</groupId> 
       <artifactId>commons-digester</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-core</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-beans</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-context</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-context-support</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 


    <dependency> <!-- Usata da Hibernate 4 per LocalSessionFactoryBean --> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-orm</artifactId> 
     <version>3.1.0.RELEASE</version> 
    </dependency> 


    <dependency> 
     <groupId>org.aspectj</groupId> 
     <artifactId>aspectjweaver</artifactId> 
     <version>1.6.9</version> 
    </dependency> 

    <dependency> 
     <groupId>cglib</groupId> 
     <artifactId>cglib-nodep</artifactId> 
     <version>2.2</version> 
    </dependency> 

    <dependency> 
     <groupId>commons-pool</groupId> 
     <artifactId>commons-pool</artifactId> 
     <version>1.5.3</version> 
    </dependency> 


    <dependency> 
     <groupId>commons-collections</groupId> 
     <artifactId>commons-collections</artifactId> 
     <version>3.2</version> 
    </dependency> 

    <dependency> 
     <groupId>commons-httpclient</groupId> 
     <artifactId>commons-httpclient</artifactId> 
     <version>3.1</version> 
    </dependency> 


    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-core</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-aop</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-expression</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-beans</artifactId> 
      </exclusion> 

      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 

     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-web</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-tx</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-web</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-aop</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-jdbc</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-beans</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-expression</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-acl</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-aop</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-jdbc</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-tx</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 


    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-aspects</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-beans</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-cas</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-config</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-ldap</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-openid</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>com.google.inject</groupId> 
       <artifactId>guice</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-remoting</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-taglibs</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 


</project>

fonte

2015-12-15 Alina

+0

Avete un esempio corretto di come abilitarlo? – Alina

risposta

4

http.csrf().disable(); dovrebbe essere aggiunto nella classe public class SecurityConfiguration extends WebSecurityConfigurerAdapter

@Override 
protected void configure(HttpSecurity http) throws Exception { 

    http.authorizeRequests() 
     .antMatchers("/login.xhtml").permitAll() 
     .antMatchers("/pages/**").access("isAuthenticated()") 
     .antMatchers("/run**").access("isAuthenticated()") 
     .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml") 
     .successHandler(successHandler) 
     .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml") 
     .usernameParameter("username") 
     .passwordParameter("password") 
     .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true); 

    http.csrf().disable(); 
    } 
}

http.csrf().disable() è supportato in sicurezza primavera 4.0.1 (ho sguardo 3.2.3 doc, ed è già lì Class HttpSecurity)

I pensa che ci sia qualcosa di sbagliato nelle tue impostazioni di configurazione.
Si prega di inviare tutto il codice relativo. per esempio. build.gradle per Gradle o pom.xml per Maven, web.xml, tutto il codice di configurazione primavera, ecc.

fonte

2015-12-15 18:39:22

+0

Ok Quando aggiungo questo, ottengo il seguente errore: Iniezione delle dipendenze autowired fallita; l'eccezione annidata è org.springframework.beans.factory.BeanCreationException: Impossibile eseguire il campo autowire: private org.springframework.security.authentication.encoding.PasswordEncoder mu.sil.access.component.impl.UsersComponentImpl.passwordEncoder; l'eccezione annidata è org.springframework.beans.factory.NoSuchBeanDefinitionException: nessun bean qualificante di tipo [org.springframework.security.authentication.encoding.PasswordEncoder] – Alina

+0

Per quelli come me, dopo aver raggiunto questa domanda dopo un po ', Spring Security 4.0 ha aggiunto quanto segue per disabilitare la convalida CSRF per alcuni percorsi: csrf(). ignoringAntMatchers (......). –

+0

Le anti-misure CSRF devono essere utilizzate correttamente, non disabilitate. – Christian

1

Presumo che la configurazione implementa WebSecurityConfigurer (ad esempio estendendo WebSecurityConfigurerAdapter). In tal caso, è possibile impostare http.csrf().disable(); nel metodo di configurazione sovrascritto. Controlla le tue dipendenze o mostraci il codice di configurazione completo.

Detto questo, suggerisco di non disattivarlo, ma implementare invece l'uso corretto. Dai uno sguardo allo spring security reference documentation come utilizzare il token CSRF.

Questo tutorial potrebbe essere di qualche utilità.

Update (per la tua domanda aggiornato):

si lascia che la tua classe MyConfiguration estende WebMvcConfigurerAdapter (per MVC).

Sei sicuro al 100% che questo non funziona? Perché funziona per me.

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http.csrf().disable(); 
    http.authorizeRequests().antMatchers("/login.xhtml").permitAll() 
      .antMatchers("/pages/**").access("isAuthenticated()") 
      .antMatchers("/run**").access("isAuthenticated()") 
      .and() 
      .formLogin() 
      .loginProcessingUrl("/login") 
      .loginPage("/login.xhtml") 
      .successHandler(successHandler) 
      .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml") 
      .usernameParameter("username").passwordParameter("password") 
      .and().sessionManagement().maximumSessions(2) 
      .maxSessionsPreventsLogin(true); 
}

si deve aggiungere un'altra classe di configurazione che si estende WebSecurityConfigurerAdapter (per la primavera di sicurezza). In questa configurazione è possibile ignorare il metodo SecurityConfigurer#configure(...).

fonte

2015-12-15 17:40:41

+0

Ho pubblicato tutti i miei file di configurazione. Puoi dirmi dove dovrei includere questo? http.csrf() disattivare().; – Alina

+1

Ho aggiornato la mia risposta in base alla sua domanda aggiornata. –

+0

Ho dimenticato di dirti qualcosa. La classe in cui ho questo metodo, "protected void configure (HttpSecurity http) lancia Exception" sta già estendendo WebSecurityConfigurerAdapter. Vedi post aggiornato. – Alina

 Problemi correlati

  • Nessun problema correlato^_^