Spring 3.1 MVC,Spring Security 3.1 - CSRF 令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9290328/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring 3.1 MVC, Spring Security 3.1 - CSRF token
提问by denis
At the moment I am searching for a possibility to include CRSF tokens in Spring MVC and Spring Security forms. What is the easiest solution that covers both (Spring Security + Spring MVC) servlets and allows to render and evaluate CSRF tokens?
目前我正在寻找在 Spring MVC 和 Spring Security 表单中包含 CRSF 令牌的可能性。涵盖(Spring Security + Spring MVC)servlet 并允许呈现和评估 CSRF 令牌的最简单的解决方案是什么?
I'm surprised that this basic mechanism is not available in the Springs stack. (which I consider basic for every web application framework)
我很惊讶这个基本机制在 Springs 堆栈中不可用。(我认为这是每个 Web 应用程序框架的基础)
PS: I have looked at HDIV but can't find a solution to use it with Spring Security as well. (e.g. login form gets rendered by Spring MVC and login request gets handled by Spring Security)
PS:我看过 HDIV,但找不到将它与 Spring Security 一起使用的解决方案。(例如登录表单由 Spring MVC 呈现,登录请求由 Spring Security 处理)
回答by Eyal Lupu
Spring 3.1 introduced a new interface named RequestDataValueProcessor. Using this interface you can easily (and automatically- without any changes to your JSP or controllers!) register CSRF tokens to HTTP forms. You can see a detailed example in here, it also refers to the sample code on github (so you can just take it from there and use it in your application).
Spring 3.1 引入了一个名为 RequestDataValueProcessor 的新接口。使用此接口,您可以轻松地(并且自动地- 无需对 JSP 或控制器进行任何更改!)将 CSRF 令牌注册到 HTTP 表单。您可以在此处查看详细示例,它还引用了 github 上的示例代码(因此您可以从那里获取并在您的应用程序中使用它)。
回答by Ralph
UPDATE (January 2014): Spring Security 3.2 contains a CSRF-Token implementation.
更新(2014 年 1 月):Spring Security 3.2 包含 CSRF-Token 实现。
For Spring Security <= 3.1:
对于 Spring Security <= 3.1:
Because CSRF has noting to do with Spring Secruity (Authentication & Authorization) both can be implemented separate from each other.
因为 CSRF 与 Spring Secruity(身份验证和授权)无关,所以两者可以彼此分开实现。
There are some CRSF implementations that are based on Filters. For example there is one shipped with Tomcat 7, and Tomcat 6.0.something
有一些基于过滤器的 CRSF 实现。例如,Tomcat 7 附带了一个,Tomcat 6.0.something
When I tryed to use them (in summer 2011) I have not the feeling that it works well. So I implemented my own.
当我尝试使用它们时(在 2011 年夏天),我感觉它运行良好。所以我实现了自己的。
EDIT (April 2012): My Implementation works with Spring 3.0, if you are using Spring 3.1, then have a look at Eyal Lupu's answerand his Blogit uses some Spring 3.1 features so the filter handling is more easy.
编辑(2012 年 4 月):我的实现适用于 Spring 3.0,如果您使用的是 Spring 3.1,那么请查看Eyal Lupu 的回答和他的博客,它使用了一些 Spring 3.1 功能,因此过滤器处理更容易。
I have not made it public up to now (no time). But you will. You can download it (this is the first time I use 4shared.com, I hope it works):
到目前为止我还没有公开(没有时间)。但是你将。可以下载(这是我第一次用4shared.com,希望好用):
The drawback of my implementation is, that you need to add the token explicit to every form that submitts POST, DELETE, PUT.
我的实现的缺点是,您需要向提交 POST、DELETE、PUT 的每个表单显式添加令牌。
JSP(x):
JSP(x):
xmlns:crsf="http://www.humanfork.de/tags/de/humanfork/security/crsf"
...
<form ...>
<crsf:hiddenCrsfNonce/>
....
</form>
web.xml
网页.xml
<filter>
<filter-name>IdempotentCrsfPreventionFilter</filter-name>
<filter-class>de.humanfork.security.crsf.IdempotentCsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>IdempotentCrsfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
回答by Christian Müller
With Spring Security 3.2.0.RC1 comes a CSRF protection functionality. There is also a solution for AJAX requests included.
Spring Security 3.2.0.RC1 带来了 CSRF 保护功能。还有一个针对 AJAX 请求的解决方案。
See http://www.springsource.org/node/22675and http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/
见http://www.springsource.org/node/22675和http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/
