HTTP 状态 403 - 未找到预期的 CSRF 令牌。你的会话过期了吗?
Posted
技术标签:
【中文标题】HTTP 状态 403 - 未找到预期的 CSRF 令牌。你的会话过期了吗?【英文标题】:HTTP Status 403 - Expected CSRF token not found. Has your session expired? 【发布时间】:2016-03-21 14:38:21 【问题描述】:我正在使用 Spring Security 4.0.1。我一登录,它就会显示我的仪表板。当我点击某个东西时,它会给我以下错误页面:
HTTP 状态 403 - 未找到预期的 CSRF 令牌。您的会话是否已过期?
我对它做了一些研究,它说我需要添加这个 http.csrf().disable()。我无法添加它,因为它告诉我该方法并没有为 httpsecurity 类型定义。
请在下面找到配置代码:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
@Autowired
@Qualifier("userDetailsServiceImpl")
UserDetailsService userDetailsService;
@Autowired
SuccessHandler successHandler;
@Autowired
FailureHandler failureHandler;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception
ShaPasswordEncoder encoder = new ShaPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
@Override
protected void configure(HttpSecurity http) throws Exception
http.authorizeRequests()
.antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username")
.passwordParameter("password")
.and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
登录.xhtml
<!DOCTYPE html>
<f:view>
<h:head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
</script><script src="js/jquery-1.js"></script>
<script src="js/adpacks-demo.js" type="text/javascript"></script>
<script src="js/bsa.js" type="text/javascript"></script>
</h:head>
<h:body>
<form id="login" action='#request.contextPath/login' method='POST'>
<h1>Log In</h1>
<fieldset id="inputs">
<input id="username" type="text" name="username" placeholder="Username" />
<input id="password" type="password" name="password" placeholder="Password" />
</fieldset>
<fieldset id="actions">
<input type="hidden" name="$_csrf.parameterName" value="$_csrf.token" />
<input id="submit" value="Log in" type="submit" /><a href="">Forgot your password?</a>
</fieldset>
</form>
</h:body>
MyConfiguration.java
@Configuration
@EnableWebMvc
@ComponentScan(basePackages = "com.car")
public class MyConfiguration extends WebMvcConfigurerAdapter
@Bean(name="HelloWorld")
public ViewResolver viewResolver()
InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
viewResolver.setViewClass(JstlView.class);
viewResolver.setPrefix("/web-inf");
viewResolver.setSuffix(".xhtml");
return viewResolver;
/*
* Configure ResourceHandlers to serve static resources like CSS/ Javascript etc...
*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry)
registry.addResourceHandler("/webapp/**").addResourceLocations("/webapp/");
SecurityWebApplicationInitializer.java
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer
AppConfig.java
@Configuration
public class AppConfig
@Bean
public SuccessHandler successHandler()
return new SuccessHandler();
@Bean
public FailureHandler failureHandler()
return new FailureHandler();
Web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name>
<param-value>false</param-value>
</context-param>
<welcome-file-list>
<welcome-file>login.xhtml</welcome-file>
</welcome-file-list>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>com.sun.el.ExpressionFactoryImpl</param-value>
</context-param>
<servlet>
<description>generated-servlet</description>
<servlet-name>CAR Servlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:CAR-web-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<description>
generated-spring-security-session-integration-filter
</description>
<filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
<filter-class>
org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class>
</filter>
<filter>
<description>generated-persistence-filter</description>
<filter-name>CARFilter</filter-name>
<filter-class>
org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
<init-param>
<param-name>entityManagerFactoryBeanName</param-name>
<param-value>CAR</param-value>
</init-param>
</filter>
<filter>
<description>generated-sitemesh-filter</description>
<filter-name>Sitemesh Filter</filter-name>
<filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
</filter>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>HRBFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Sitemesh Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<persistence-unit-ref>
<persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name>
<persistence-unit-name>CAR</persistence-unit-name>
</persistence-unit-ref>
<persistence-context-ref>
<persistence-context-ref-name>persistence/CAR</persistence-context-ref-name>
<persistence-unit-name>CAR</persistence-unit-name>
</persistence-context-ref>
</web-app>
Pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<properties>
<spring.version>4.0.2.RELEASE</spring.version>
<spring.security.version>3.2.5.RELEASE</spring.security.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.0.7.RELEASE</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aspects</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-instrument</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-instrument-tomcat</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jms</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-oxm</artifactId>
<version>$spring.version</version>
<exclusions>
<exclusion>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc-portlet</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-struts</artifactId>
<version>3.1.1.RELEASE</version>
<exclusions>
<exclusion>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
</exclusion>
<exclusion>
<groupId>oro</groupId>
<artifactId>oro</artifactId>
</exclusion>
<exclusion>
<groupId>commons-digester</groupId>
<artifactId>commons-digester</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>$spring.version</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>$spring.version</version>
</dependency>
<dependency> <!-- Usata da Hibernate 4 per LocalSessionFactoryBean -->
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>3.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.9</version>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
<version>2.2</version>
</dependency>
<dependency>
<groupId>commons-pool</groupId>
<artifactId>commons-pool</artifactId>
<version>1.5.3</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2</version>
</dependency>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>3.1</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>$spring.security.version</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>$spring.security.version</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-expression</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-acl</artifactId>
<version>$spring.security.version</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-aspects</artifactId>
<version>$spring.security.version</version>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
</exclusion>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-cas</artifactId>
<version>$spring.security.version</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>$spring.security.version</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-ldap</artifactId>
<version>$spring.security.version</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-openid</artifactId>
<version>$spring.security.version</version>
<exclusions>
<exclusion>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-remoting</artifactId>
<version>$spring.security.version</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>$spring.security.version</version>
</dependency>
</project>
【问题讨论】:
你有一个正确的例子来说明如何启用它吗? 【参考方案1】:我假设您的配置实现了 WebSecurityConfigurer(例如通过扩展 WebSecurityConfigurerAdapter)。
如果是这样,您可以在覆盖的配置方法中设置http.csrf().disable();。仔细检查您的依赖关系,或向我们展示完整的配置代码。
话虽如此,我建议您不要禁用它,而是实施正确的用法。看看spring security reference documentation如何使用CSRF令牌。
这个tutorial 也可能有一些用处。
更新(针对您更新的问题):
您让 MyConfiguration 类扩展 WebMvcConfigurerAdapter(用于 MVC)。
您是否 100% 确定这不起作用?因为它对我有用。
@Override
protected void configure(HttpSecurity http) throws Exception
http.csrf().disable();
http.authorizeRequests().antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and()
.formLogin()
.loginProcessingUrl("/login")
.loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username").passwordParameter("password")
.and().sessionManagement().maximumSessions(2)
.maxSessionsPreventsLogin(true);
您必须添加另一个扩展 WebSecurityConfigurerAdapter 的配置类(用于 Spring Security)。在该配置中,您可以覆盖 SecurityConfigurer#configure(...) 方法。
【讨论】:
我已经发布了我所有的配置文件。你能告诉我我应该在哪里包括这个吗? http.csrf().disable(); 我已根据您更新的问题更新了我的答案。 我忘了告诉你一件事。我有这个方法的类,“protected void configure(HttpSecurity http) throws Exception”它已经在扩展 WebSecurityConfigurerAdapter。查看更新后的帖子。 请贴出完整的配置类,不仅仅是配置方法!如果您有堆栈跟踪,也请发布。 我在 web.xml 中配置了 DispatcherServlet,而不是在 Java 配置中进行。可能吗?它会正常工作吗?【参考方案2】:http.csrf().disable(); 应该添加到你的班级 public class SecurityConfiguration extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception
http.authorizeRequests()
.antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username")
.passwordParameter("password")
.and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
http.csrf().disable();
spring security 4.0.1 支持http.csrf().disable()(我查看了 3.2.3 文档,它已经存在 Class HttpSecurity)
我认为您的配置设置有问题。 请发布所有相关代码。例如Gradle 的 build.gradle 或 Maven 的 pom.xml、web.xml、所有 spring 配置代码等
【讨论】:
Ok 当我添加这个时,我收到以下错误:自动装配依赖项的注入失败;嵌套异常是 org.springframework.beans.factory.BeanCreationException:无法自动装配字段:私有 org.springframework.security.authentication.encoding.PasswordEncoder mu.sil.access.component.impl.UsersComponentImpl.passwordEncoder;嵌套异常是 org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.authentication.encoding.PasswordEncoder] 对于像我这样的人,一段时间后遇到这个问题,Spring Security 4.0 添加了以下内容以禁用某些路径的 CSRF 验证:csrf().ignoringAntMatchers(......)。 CSRF反措施应该正确使用,而不是禁用。以上是关于HTTP 状态 403 - 未找到预期的 CSRF 令牌。你的会话过期了吗?的主要内容,如果未能解决你的问题,请参考以下文章
AngularJS HTTP POST 未找到预期的 CSRF 令牌
HTTP 状态 403 - 在请求参数“_csrf”或标头“X-CSRF-TOKEN”上发现无效的 CSRF 令牌“null”
HTTP 状态 403 - 在请求参数上发现无效的 CSRF 令牌“null”
在 Broadleaf 项目中 HTTP 状态 403 - 在请求参数“_csrf”或标头“X-CSRF-TOKEN”上发现无效的 CSRF 令牌“null”