POST请求中的CSRF令牌无效

Question

概述
我将使用API​​ Gateway作为基于Spring安全性的身份验证.我刚刚按照https://spring.io/guides/tutorials/spring-security-and-angular-js/链接中的步骤创建了一个基于其对应的github项目的"pair-double"模块的项目的https://github.com/spring-guides/tut-spring-security-and-angular-js.git.

问题
问题在于,当向服务器提交任何POST请求时,将抛出"无效的CSRF令牌"异常.抛出异常的示例如下:

{
  "timestamp": 1461714933215,
  "status": 403,
  "error": "Forbidden",
  "message": "Invalid CSRF Token '1cdc44ad-43cb-44e6-b903-bec24fe903fd' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.",
  "path": "/ui/test"
}

我检查了一个重新检查的问题,但没有用.我用postman测试了这个场景,并将'X-XSRF-TOKEN'设置为POST请求的标题,但什么也没发生.

---

所以,由于我是初学者使用Spring安全方法,如果有人能建议我一个解决方案,我将不胜感激.

Answer 1

查看该项目的安全配置,您会注意到使用过滤器XSRF-TOKEN在每个请求中添加了一个cookie .所以你需要做的就是获取该cookie的值并将其存储在头文件中.我已经制作了一个具有类似安全配置的测试项目来测试这种情况,完整的代码如下所示:X-XSRF-TOKEN

@RestController
@SpringBootApplication
public class TestApplication extends WebSecurityConfigurerAdapter {

    public static void main(String[] args) {
        SpringApplication.run(TestApplication.class, args);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/**")  // Disable authentication for all requests.
            .permitAll()
            .and()
            .csrf().csrfTokenRepository(csrfTokenRepository())
            .and()
            .addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class); // Register csrf filter.
    }

    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {

            @Override
            protected void doFilterInternal(HttpServletRequest request,
                                            HttpServletResponse response,
                                            FilterChain filterChain) throws ServletException, IOException {

                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
                if (csrf != null) {
                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
                    String token = csrf.getToken();
                    if (cookie == null || token != null
                            && !token.equals(cookie.getValue())) {

                        // Token is being added to the XSRF-TOKEN cookie.
                        cookie = new Cookie("XSRF-TOKEN", token);
                        cookie.setPath("/");
                        response.addCookie(cookie);
                    }
                }
                filterChain.doFilter(request, response);
            }
        };
    }

    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }

    @RequestMapping(value = "/test", method = RequestMethod.GET)
    public String testGet() {
        return "hello";
    }

    @RequestMapping(value = "/test", method = RequestMethod.POST)
    public String testPost() {
        return "works!";
    }
}

要与邮递员一起测试,请执行以下操作:

• 启用拦截器以开始捕获cookie.
• 执行GET /test请求并打开cookie选项卡.你应该注意到一个带有名字的cookie XSRF-TOKEN.
• 获取该cookie的值并将其放入X-XSRF-TOKEN标头并执行POST /test请求.