1. ev
  2. Soru-cevap
  3. HTTP Durumu 403 - Beklenen CSRF belirteci bulunamadı. Oturumunuzun süresi doldu mu?

HTTP Durumu 403 - Beklenen CSRF belirteci bulunamadı. Oturumunuzun süresi doldu mu?

2015-12-15 11 views
6

Yay güvenliği 4.0.1 kullanıyorum. Giriş yaptığım anda kontrol panelimi gösterir. Bir şey tıkladığımda bana aşağıdaki hata sayfasını verir.HTTP Durumu 403 - Beklenen CSRF belirteci bulunamadı. Oturumunuzun süresi doldu mu?

HTTP Status 403 - Expected CSRF token not found. Has your session expired?

Bunun üzerine biraz araştırma yaptık ve ben bu http.csrf() eklemeniz gerekir diyor devre dışı bırakma(). Bu yöntemin ve httpsecurity türü için tanımlanmamış olduğunu söylediği için ekleyemiyorum.

yapılandırma kodu aşağıda bulabilirsiniz:

@Configuration 
@EnableWebSecurity 
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { 


    @Autowired 
    @Qualifier("userDetailsServiceImpl") 
    UserDetailsService userDetailsService; 

    @Autowired 
    SuccessHandler successHandler; 

    @Autowired 
    FailureHandler failureHandler; 


    @Autowired 
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { 
    ShaPasswordEncoder encoder = new ShaPasswordEncoder(); 
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder); 
    } 

@Override 
protected void configure(HttpSecurity http) throws Exception { 

    http.authorizeRequests() 
    .antMatchers("/login.xhtml").permitAll() 
    .antMatchers("/pages/**").access("isAuthenticated()") 
    .antMatchers("/run**").access("isAuthenticated()") 
    .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml") 
    .successHandler(successHandler) 
    .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml") 
    .usernameParameter("username") 
    .passwordParameter("password") 
    .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true); 
    } 
}

Login.xhtml

<!DOCTYPE html> 
    <f:view> 
    <h:head> 
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> 
    </script><script src="js/jquery-1.js"></script> 
    <script src="js/adpacks-demo.js" type="text/javascript"></script> 
    <script src="js/bsa.js" type="text/javascript"></script> 

    </h:head> 
<h:body> 
    <form id="login" action='#{request.contextPath}/login' method='POST'> 
     <h1>Log In</h1> 
     <fieldset id="inputs"> 
      <input id="username" type="text" name="username" placeholder="Username" /> 
      <input id="password" type="password" name="password" placeholder="Password" /> 
     </fieldset> 
     <fieldset id="actions"> 
      <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> 
      <input id="submit" value="Log in" type="submit" /><a href="">Forgot your password?</a> 
     </fieldset> 
    </form> 
</h:body>

MyConfiguration.java

@Configuration 
    @EnableWebMvc 
    @ComponentScan(basePackages = "com.car") 
    public class MyConfiguration extends WebMvcConfigurerAdapter { 



@Bean(name="HelloWorld") 
public ViewResolver viewResolver() { 
    InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); 
    viewResolver.setViewClass(JstlView.class); 
    viewResolver.setPrefix("/web-inf"); 
    viewResolver.setSuffix(".xhtml"); 

    return viewResolver; 
} 

/* 
* Configure ResourceHandlers to serve static resources like CSS/ Javascript etc... 
*/ 
@Override 
public void addResourceHandlers(ResourceHandlerRegistry registry) { 
    registry.addResourceHandler("/webapp/**").addResourceLocations("/webapp/"); 
}

}

SecurityWebApplicationInitializer.java

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { 

    }

AppConfig.java

@Configuration 
    public class AppConfig { 
    @Bean 
    public SuccessHandler successHandler() { 
     return new SuccessHandler(); 
    } 

    @Bean 
    public FailureHandler failureHandler() { 
     return new FailureHandler(); 
    } 
    }

Web.xml

<?xml version="1.0" encoding="UTF-8"?> 
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> 


<context-param> 
     <param-name>javax.faces.DEFAULT_SUFFIX</param-name> 
     <param-value>.xhtml</param-value> 
</context-param> 

<context-param> 
    <param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name> 
    <param-value>false</param-value> 
</context-param> 

<welcome-file-list> 
    <welcome-file>login.xhtml</welcome-file> 
</welcome-file-list> 
<servlet> 
    <servlet-name>Faces Servlet</servlet-name> 
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> 
    <load-on-startup>1</load-on-startup> 
</servlet> 
<servlet-mapping> 
    <servlet-name>Faces Servlet</servlet-name> 
    <url-pattern>*.xhtml</url-pattern> 
</servlet-mapping> 

<context-param> 
     <param-name>com.sun.faces.expressionFactory</param-name> 
     <param-value>com.sun.el.ExpressionFactoryImpl</param-value> 
</context-param> 

<servlet> 
    <description>generated-servlet</description> 
    <servlet-name>CAR Servlet</servlet-name> 
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
    <init-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>classpath:CAR-web-context.xml</param-value> 
    </init-param> 
    <load-on-startup>1</load-on-startup> 
</servlet> 

<listener> 
    <listener-class> 
     org.springframework.security.web.session.HttpSessionEventPublisher 
    </listener-class> 
</listener> 
<listener> 
    <listener-class> 
     org.springframework.web.context.request.RequestContextListener</listener-class> 
</listener> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 


<filter> 
    <description> 
     generated-spring-security-session-integration-filter 
    </description> 
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name> 
    <filter-class> 
     org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class> 
</filter> 
<filter> 
    <description>generated-persistence-filter</description> 
    <filter-name>CARFilter</filter-name> 
    <filter-class> 
     org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class> 
    <init-param> 
     <param-name>entityManagerFactoryBeanName</param-name> 
     <param-value>CAR</param-value> 
    </init-param> 
</filter> 
<filter> 
    <description>generated-sitemesh-filter</description> 
    <filter-name>Sitemesh Filter</filter-name> 
    <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class> 
</filter> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    <init-param> 
     <param-name>contextAttribute</param-name> 
     <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher‌​</param-value> 
    </init-param> 
</filter> 

<filter-mapping> 
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>HRBFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>Sitemesh Filter</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 
<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<persistence-unit-ref> 
    <persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name> 
    <persistence-unit-name>CAR</persistence-unit-name> 
    </persistence-unit-ref> 

    <persistence-context-ref> 
    <persistence-context-ref-name>persistence/CAR</persistence-context-ref-name> 
    <persistence-unit-name>CAR</persistence-unit-name> 
</persistence-context-ref> 

</web-app>

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> 


<properties> 
    <spring.version>4.0.2.RELEASE</spring.version> 
    <spring.security.version>3.2.5.RELEASE</spring.security.version> 
</properties> 

<dependencies> 

    <dependency> 
     <groupId>org.springframework.security.oauth</groupId> 
     <artifactId>spring-security-oauth2</artifactId> 
     <version>2.0.7.RELEASE</version> 
    </dependency> 

    <dependency> 
     <groupId>junit</groupId> 
     <artifactId>junit</artifactId> 
     <version>3.8.1</version> 
     <scope>test</scope> 
    </dependency> 



    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-aspects</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-instrument</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-instrument-tomcat</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-tx</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-jms</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-oxm</artifactId> 
     <version>${spring.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>commons-lang</groupId> 
       <artifactId>commons-lang</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-web</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-webmvc-portlet</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-struts</artifactId> 
     <version>3.1.1.RELEASE</version> 
     <exclusions> 
      <exclusion> 
       <groupId>xalan</groupId> 
       <artifactId>xalan</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>oro</groupId> 
       <artifactId>oro</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>commons-digester</groupId> 
       <artifactId>commons-digester</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-core</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-beans</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-context</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 
    <dependency> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-context-support</artifactId> 
     <version>${spring.version}</version> 
    </dependency> 


    <dependency> <!-- Usata da Hibernate 4 per LocalSessionFactoryBean --> 
     <groupId>org.springframework</groupId> 
     <artifactId>spring-orm</artifactId> 
     <version>3.1.0.RELEASE</version> 
    </dependency> 


    <dependency> 
     <groupId>org.aspectj</groupId> 
     <artifactId>aspectjweaver</artifactId> 
     <version>1.6.9</version> 
    </dependency> 

    <dependency> 
     <groupId>cglib</groupId> 
     <artifactId>cglib-nodep</artifactId> 
     <version>2.2</version> 
    </dependency> 

    <dependency> 
     <groupId>commons-pool</groupId> 
     <artifactId>commons-pool</artifactId> 
     <version>1.5.3</version> 
    </dependency> 


    <dependency> 
     <groupId>commons-collections</groupId> 
     <artifactId>commons-collections</artifactId> 
     <version>3.2</version> 
    </dependency> 

    <dependency> 
     <groupId>commons-httpclient</groupId> 
     <artifactId>commons-httpclient</artifactId> 
     <version>3.1</version> 
    </dependency> 


    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-core</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-aop</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-expression</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-beans</artifactId> 
      </exclusion> 

      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 

     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-web</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-tx</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-web</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-aop</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-jdbc</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-beans</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-expression</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-acl</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-aop</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-jdbc</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-tx</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 


    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-aspects</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-beans</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-context</artifactId> 
      </exclusion> 
      <exclusion> 
       <groupId>org.springframework</groupId> 
       <artifactId>spring-core</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-cas</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-config</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-ldap</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-openid</artifactId> 
     <version>${spring.security.version}</version> 
     <exclusions> 
      <exclusion> 
       <groupId>com.google.inject</groupId> 
       <artifactId>guice</artifactId> 
      </exclusion> 
     </exclusions> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-remoting</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 

    <dependency> 
     <groupId>org.springframework.security</groupId> 
     <artifactId>spring-security-taglibs</artifactId> 
     <version>${spring.security.version}</version> 
    </dependency> 


</project>

kaynak

2015-12-15 Alina

+0

Nasıl etkinleştirileceğine dair uygun bir örnek var mı? – Alina

cevap

4

http.csrf().disable(); public class SecurityConfiguration extends WebSecurityConfigurerAdapter

@Override 
protected void configure(HttpSecurity http) throws Exception { 

    http.authorizeRequests() 
     .antMatchers("/login.xhtml").permitAll() 
     .antMatchers("/pages/**").access("isAuthenticated()") 
     .antMatchers("/run**").access("isAuthenticated()") 
     .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml") 
     .successHandler(successHandler) 
     .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml") 
     .usernameParameter("username") 
     .passwordParameter("password") 
     .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true); 

    http.csrf().disable(); 
    } 
}

http.csrf().disable() bahar güvenliği 4.0.1 desteklenir sınıfınızda eklenmelidir (I 3.2.3 dokümana göz ve orada zaten Class HttpSecurity olan)

ben yapılandırma ayarlarınızda yanlış bir şey olduğunu düşünün.
Lütfen tüm ilgili kodu gönderin. Örneğin. Maven, web.xml, tüm yay yapılandırma kodu, vb için Grad veya pom.xml için build.gradle

kaynak

2015-12-15 18:39:22

+0

Tamam Bunu eklediğimde, aşağıdaki hatayı alıyorum: Otomatik kablolu bağımlılıkların enjeksiyonu başarısız oldu; iç içe istisna org.springframework.beans.factory.BeanCreationException: Otomatik alan alamadı: özel org.springframework.security.authentication.encoding.PasswordEncoder mu.sil.access.component.impl.UsersComponentImpl.passwordEncoder; nested exception org.springframework.beans.factory.NoSuchBeanDefinitionException: [org.springframework.security.authentication.encoding.PasswordEncoder] – Alina

+0

türünde hiçbir niteleyici fasulye yok gibi bir süre sonra bu soruna ulaşan, Spring Security 4.0 aşağıdakileri ekledi Bazı yollar için CSRF doğrulamasını devre dışı bırakmak için: csrf(). ignoringAntMatchers (......). –

+0

CSRF anti-önlemleri doğru kullanılmalı, devre dışı bırakılmamalıdır. – Christian

1

Yapılandırma, WebSecurityConfigurer (örneğin, WebSecurityConfigurerAdapter'u genişleterek) uygular. Öyleyse, üzerine yazılan yapılandırma yönteminde http.csrf().disable(); ayarını yapabilirsiniz. Bağımlılıklarınızı iki kez kontrol edin veya bize tam yapılandırma kodunu gösterin.

Bu söylendiği gibi, onu devre dışı bırakmamanızı öneririm, bunun yerine doğru kullanımı gerçekleştirin. CSRF belirtecini nasıl kullanacağınız spring security reference documentation'a bakın.

Bu tutorial bazı kullanım olabilir. (Güncellenmiş soru için)

Güncelleme:

Sen MyConfiguration sınıf (MVC için) WebMvcConfigurerAdapter uzanır edelim.

Bunun işe yaramadığından% 100 emin misiniz? Çünkü benim için çalışıyor.

@Override 
protected void configure(HttpSecurity http) throws Exception { 
    http.csrf().disable(); 
    http.authorizeRequests().antMatchers("/login.xhtml").permitAll() 
      .antMatchers("/pages/**").access("isAuthenticated()") 
      .antMatchers("/run**").access("isAuthenticated()") 
      .and() 
      .formLogin() 
      .loginProcessingUrl("/login") 
      .loginPage("/login.xhtml") 
      .successHandler(successHandler) 
      .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml") 
      .usernameParameter("username").passwordParameter("password") 
      .and().sessionManagement().maximumSessions(2) 
      .maxSessionsPreventsLogin(true); 
}

Sen (Bahar Güvenlik) WebSecurityConfigurerAdapter uzanan başka yapılandırma sınıfı eklemek zorunda. Bu yapılandırmada, SecurityConfigurer#configure(...) yöntemini geçersiz kılabilirsiniz.

kaynak

2015-12-15 17:40:41

+0

Tüm yapılandırma dosyamı gönderdim. Bunu nereye eklemem gerektiğini söyler misin? http.csrf() (pasif).; – Alina

+1

Cevabımı güncellenmiş soruya uygun olarak güncelledim. –

+0

Sana bir şey söylemeyi unuttum. Bu yönteme sahip olduğum sınıf, "korumalı boşluk yapılandırması (HttpSecurity http) özel durumu atar" zaten WebSecurityConfigurerAdapter'ı genişletiyor. Güncellenmiş gönderiye bakın. – Alina

İlgili konular

 İlgili konular