因为我向其添加了spring-security,所以我的Angular2客户端与我的Spring服务器进行通信时遇到了问题,即当我尝试将包含身份验证信息的JSON发送到服务器登录URL时,我得到403“无效的CSRF令牌”null '在请求参数'_csrf'或 Headers 'X-CSRF-TOKEN'上找到 . “
我知道我应该在我的响应的 Headers 上传递一个令牌以供客户端使用但是这个令牌没有被传递 . 我试过了this answer但令牌仍未通过 . 我也是通过邮递员发送请求,而令牌也没有到达 .
webSecurityConfig.xml
:
<http entry-point-ref="restAuthenticationEntryPoint">
<intercept-url pattern="/api/**" access="hasRole('ROLE_USER')"/>
<form-login
authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler"
/>
<logout />
</http>
<beans:bean id="mySuccessHandler"
class="com.eficid.cloud.security.rest.AuthenticationSuccessHandler"/>
<beans:bean id="myFailureHandler" class=
"org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="temp" password="temp" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
SpringSecurityConfiguration
@Configuration
@ImportResource({ "classpath:webSecurityConfig.xml" })
@ComponentScan("com.eficid.cloud.security.rest")
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
public SpringSecurityConfig() {
super();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests()
.antMatchers("/spring-security-rest/login").permitAll().anyRequest()
.authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
}
1 回答
可能是拼写错误:
必须是X-CSRF-TOKEN而不是X-XSRF-TOKEN . 建议重构 .
检查此链接:How to access Spring CSRF restful web service