我试图通过下面的链接在我的项目中实现
spring security(ver 3.2.3)CSRF令牌
http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#csrf
http://docs.spring.io/autorepo/docs/spring-security/4.0.0.CI-SNAPSHOT/reference/htmlsingle/#the-csrfmetatags-tag
我能够在没有AJAX调用的情况下成功地在JSP中集成CSRF令牌.
但是,当我尝试使用AJAX调用JSP时,获得“无效的CSRF令牌异常”.
经过我的分析,我找到了AJAX的电话和电话.表单提交使用相同的令牌,因为我得到’无效的CSRF令牌例外’.
可以请任何人帮我突袭这个问题.有没有办法生成两个令牌,即一个用于AJAX呼叫&一个表单提交
<access-denied-handler ref="accessDenied" />
<intercept-url pattern="/**" access="ROLE_1" />
<form-login default-target-url='/loginUser.htm' always-use-default-target='true' authentication-failure-url='/forms/common/login.jsp?error=true' />
<logout logout-success-url="/forms/common/logout.jsp" invalidate-session="true" delete-cookies="JSESSIONID" />
<session-management invalid-session-url="/forms/common/sessionexpired.jsp" session-authentication-error-url="/forms/common/login.jsp?Error=alreadyLoggedin" >
<concurrency-control expired-url="/forms/common/sessionexpired.jsp" max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
</http>
<beans:bean class="com.concerto.pg.login.security.CsrfSecurityRequestMatcher" id="csrfSecurityRequestMatcher"/>
JSP
<head> <sec:csrfMetaTags /> <script type="text/javascript" charset="utf-8"> function changelist(id,option){ var csrfParameter = $("Meta[name='_csrf_parameter']").attr("content"); var csrftoken = $("Meta[name='_csrf']").attr("content"); var institution = document.getElementById("institutionId").value; var data = {}; data[csrfParameter] = csrftoken; data["institutionId"] = option; if(id=="institutionId"){ var result =''; $.ajax({ type: "GET",async: false,url: './getMerchantByInstitution.htm',data: data,//"institutionId=" + option,dataType:'json',success: function (res) { result = res; var htmlVar = ''; for (var i=0; i<result.length; i++){ htmlVar += '<option value="'+result[i]+'">'+result[i]+'</option>'; } htmlVar += '<option value="ALL">ALL</option>'; $('#merchantId').html(htmlVar); } }); } } </script> </head>
added below < input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> statement in form tag
谢谢&问候,
湿婆
解决方法
我希望以下答案有所帮助.
进行这些更改
进行这些更改
var csrfParameter = $("Meta[name='_csrf_parameter']").attr("content"); var csrftoken = $("Meta[name='_csrf']").attr("content"); var csrfheader = $("Meta[name='_csrf_header']").attr("content"); // THIS WAS ADDED
之后
data[csrfParameter] = csrftoken; data["institutionId"] = option; headers[csrfheader] = csrftoken; // THIS WAS ADDED
最后改变了ajax调用:
url: './getMerchantByInstitution.htm',headers: headers,// THIS WAS ADDED data: data,
让我知道这个是否奏效.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
