我试图通过下面的链接在我的项目中实现spring security(ver 3.2.3)CSRF令牌
http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#csrf http://docs.spring.io/autorepo/docs/spring-security/ 4.0.0.CI-SNAPSHOT /参考/ htmlsingle /#的-csrfmetatags标签
我能够在没有AJAX调用的情况下成功地在JSP中集成CSRF令牌.但是,当我尝试使用AJAX调用JSP时,获得"无效的CSRF令牌异常".在我的分析之后,我找到了使用相同令牌的AJAX调用和表单提交,因为我得到了"无效的CSRF令牌异常".
可以请任何人帮我突袭这个问题.有没有办法生成两个令牌,即一个用于AJAX调用,一个用于表单提交
security.xml文件
<access-denied-handler ref="accessDenied" />
<intercept-url pattern="/**" access="ROLE_1" />
<form-login default-target-url='/loginUser.htm' always-use-default-target='true' authentication-failure-url='/forms/common/login.jsp?error=true' />
<logout logout-success-url="/forms/common/logout.jsp" invalidate-session="true" delete-cookies="JSESSIONID" />
<session-management invalid-session-url="/forms/common/sessionexpired.jsp" session-authentication-error-url="/forms/common/login.jsp?Error=alreadyLoggedin" >
<concurrency-control expired-url="/forms/common/sessionexpired.jsp" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
</http>
<beans:bean class="com.concerto.pg.login.security.CsrfSecurityRequestMatcher" id="csrfSecurityRequestMatcher"/>
JSP
<head>
<sec:csrfMetaTags />
<script type="text/javascript" charset="utf-8">
function changeList(id,option){
var csrfParameter = $("meta[name='_csrf_parameter']").attr("content");
var csrfToken = $("meta[name='_csrf']").attr("content");
var institution = document.getElementById("institutionId").value;
var data = {};
data[csrfParameter] = csrfToken;
data["institutionId"] = option;
if(id=="institutionId"){
var result =''; …