Невалиден CSRF Token Spring 4 MVC при опит за качване

Опитвам се да кача файл с уеб приложение, използвайки Spring MVC 4, но получавам грешка:

Невалиден CSRF токен „null“ беше открит в параметъра на заявката „_csrf“ или заглавката „X-CSRF-TOKEN“.

Пролетна версия:

Пролетна версия 4.1.7.RELEASE

Spring Security 4.0.1.RELEASE

Код:

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">

    <context:property-placeholder location="classpath:webapp.properties" />

    <context:annotation-config />

    <context:component-scan base-package="com.opessoftware" />

    <mvc:annotation-driven />

    <bean id="messageSource"
        class="org.springframework.context.support.ResourceBundleMessageSource">
        <property name="basename" value="messages" />
    </bean> 

    <bean id="viewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="viewClass"
            value="org.springframework.web.servlet.view.JstlView" />
        <property name="prefix">
            <value>/WEB-INF/views/</value>
        </property>
        <property name="suffix">
            <value>.jsp</value>
        </property>
    </bean>

</beans>
4.xsd"
    version="2.4">

    <display-name>FATCA Web Application</display-name>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-web-servlet.xml         
        </param-value>
    </context-param>

    <servlet>
        <servlet-name>spring-web</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>  

    <servlet-mapping>
        <servlet-name>spring-web</servlet-name>
        <url-pattern>*.html</url-pattern>
    </servlet-mapping>

</web-app>

spring-web-servlet.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">

    <context:property-placeholder location="classpath:webapp.properties" />

    <context:annotation-config />

    <context:component-scan base-package="com.opessoftware" />

    <mvc:annotation-driven />

    <bean id="messageSource"
        class="org.springframework.context.support.ResourceBundleMessageSource">
        <property name="basename" value="messages" />
    </bean> 

    <bean id="viewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="viewClass"
            value="org.springframework.web.servlet.view.JstlView" />
        <property name="prefix">
            <value>/WEB-INF/views/</value>
        </property>
        <property name="suffix">
            <value>.jsp</value>
        </property>
    </bean>

</beans>

Settings.jsp

<form:form method="POST" action="uploadFile.html"
                            enctype="multipart/form-data" security="none">
                            <table style="width: 100%" border="1">
                                <tr>
                                    <td colspan="1" style="text-align: left"><input
                                        type="file" name="file" style="width: 100%;" /></td>
                                    <td colspan="1" style="text-align: left"><input
                                        type="submit" value=<spring:message code="uploadSettings" /> />
                                    </td>
                                </tr>
                            </table>
                        </form:form>

Съдържание на полезен товар на заявка за публикуване след изпращане на файл, наречен test.txt, който съдържа низа „Тест“:

Content-Type: multipart/form-data; boundary=---------------------------83935555814334632461054528816
Content-Length: 368

-----------------------------83935555814334632461054528816
Content-Disposition: form-data; name="file"; filename="test.txt"
Content-Type: text/plain

Test
-----------------------------83935555814334632461054528816
Content-Disposition: form-data; name="_csrf"

41f3dc0a-b97f-4dac-bc49-21e02be53818
-----------------------------83935555814334632461054528816--

José Mendes 08.07.2015 източник

comment

CSRF защитата е включена по подразбиране в Spring Security 4.x. Тъй като не сте публикували вашата Spring Security конфигурация, предполагам, че не сте я изключили (в противен случай не бихте получили споменатата грешка). Трудното е, че в многочастна заявка всяка част се разглежда индивидуално и следователно трябва да съдържа CSRF токена. Това може да бъде трудно за прилагане, така че има заобиколни решения. Вижте тази публикация за потенциално решение. - manish 09.07.2015

Отговори (1)

arrow_upward
4
arrow_downward

Поправих това, като следвах общия съвет във втората точка на приетия отговор на Spring Security 3.2, CSRF и multipart заявки, но използвайки Spring Security 4.0 .1.RELEASE вместо версия 3.2.

Промяна 1

Актуализира уеб приложението от Servlet API 2.4 на Servlet API 3.0:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
          http://java.sun.com/xml/ns/javaee/web-appcommons-fileupload0.xsd"
          version="3.0">
....
</web-app>

Промяна 2

Използвайки конфигурация, базирана на Java, създаде StandardServletMultipartResolver, който използва обработката на много части на Servlet 3.0 и не изисква commons-fileupload. Обърнете внимание, че първоначалната реализация пренебрегна изричното създаване на многочастен резолвер, въпреки че включи зависимост commons-fileupload в проекта Maven.

@Configuration
public class WebApplicationConfiguration {
    @Bean
    public MultipartResolver multipartResolver() {
        return new StandardServletMultipartResolver();
    }
}

Промяна 3

Добавен е „multipart-config“ към DispatcherServlet:

In web.xml:

<servlet>
    <servlet-name>spring-web</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    <multipart-config>
        <location>/tmp</location>
        <max-file-size>1000000</max-file-size>
        <max-request-size>1000000</max-request-size>
        <file-size-threshold>10000</file-size-threshold>
    </multipart-config>
</servlet>

Използване на Java:

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
    public SecurityWebApplicationInitializer() {
    super(SecurityConfiguration.class);
    }

    @Override
    protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
    final XmlWebApplicationContext appContext = new XmlWebApplicationContext();
    appContext.setConfigLocation("/WEB-INF/spring-web-servlet.xml");

    final ServletRegistration.Dynamic registration = servletContext.addServlet("dispatcher",
        new DispatcherServlet(appContext));
    registration.setLoadOnStartup(1);
    registration.addMapping("/");
    registration.setMultipartConfig(new MultipartConfigElement("", 1000000, 1000000, 100000));
    }
}

Промяна 4

Премахната зависимост commons-fileupload от проекта Maven.

Derek Mahar 09.07.2015