发表新帖
发表新帖

Spring 3.1 MVC, Spring Security 3.1 - CSRF token

前端 未结
关注
3 1945
抹茶落季
抹茶落季 2020-12-30 02:10

At the moment I am searching for a possibility to include CRSF tokens in Spring MVC and Spring Security forms. What is the easiest solution that covers both (Spring Security

相关标签:
3条回答
  • 我在风中等你
    2020-12-30 02:43

    With Spring Security 3.2.0.RC1 comes a CSRF protection functionality. There is also a solution for AJAX requests included.

    See http://www.springsource.org/node/22675 and http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/

    0 讨论(0)
  • 無奈伤痛
    2020-12-30 02:45

    Spring 3.1 introduced a new interface named RequestDataValueProcessor. Using this interface you can easily (and automatically - without any changes to your JSP or controllers!) register CSRF tokens to HTTP forms. You can see a detailed example in here, it also refers to the sample code on github (so you can just take it from there and use it in your application).

    0 讨论(0)
  • 慢半拍i
    2020-12-30 02:51

    UPDATE (January 2014): Spring Security 3.2 contains a CSRF-Token implementation.

    For Spring Security <= 3.1:

    Because CSRF has noting to do with Spring Secruity (Authentication & Authorization) both can be implemented separate from each other.

    There are some CRSF implementations that are based on Filters. For example there is one shipped with Tomcat 7, and Tomcat 6.0.something

    When I tryed to use them (in summer 2011) I have not the feeling that it works well. So I implemented my own.

    EDIT (April 2012): My Implementation works with Spring 3.0, if you are using Spring 3.1, then have a look at Eyal Lupu's answer and his Blog it uses some Spring 3.1 features so the filter handling is more easy.

    I have not made it public up to now (no time). But you will. You can download it (this is the first time I use 4shared.com, I hope it works):

    • source jar
    • binary jar

    The drawback of my implementation is, that you need to add the token explicit to every form that submitts POST, DELETE, PUT.

    JSP(x):

    xmlns:crsf="http://www.humanfork.de/tags/de/humanfork/security/crsf"
...
<form ...>
   <crsf:hiddenCrsfNonce/>
   ....
</form>

    web.xml

    <filter>
    <filter-name>IdempotentCrsfPreventionFilter</filter-name>
    <filter-class>de.humanfork.security.crsf.IdempotentCsrfPreventionFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>IdempotentCrsfPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
    0 讨论(0)
 看不清?
提交回复
热议问题