gpt4 book ai didi

java - Spring Boot + Security - 启用 CSRF 时无法上传文件(多部分)

转载 作者:搜寻专家 更新时间:2023-10-31 20:27:09 24 4
gpt4 key购买 nike

我想从我的 angularJS 客户端上传文件。我启用了 CSRF 保护并且它工作正常,除非我尝试上传文件时出现 403 错误:

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.

但是 token 在请求 header 中并且是正确的!当我禁用 CSRF 保护时,我可以毫无问题地上传文件。

除此之外,CSRF 保护工作正常。

这是我当前的配置:

SecurityConfiguration.java

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private SecurityUserDetailsService securityUserDetailsService;
@Autowired
private AuthFailureHandler authFailureHandler;
@Autowired
private AjaxAuthSuccessHandler ajaxAuthSuccessHandler;

@Override
protected void configure(HttpSecurity http) throws Exception {

http
.exceptionHandling()
.authenticationEntryPoint(authFailureHandler)
.and()
.authorizeRequests()
.antMatchers(
"/",
"/index.html",
"/styles/**",
"/bower_components/**",
"/scripts/**"
).permitAll().anyRequest()
.authenticated()
.and().formLogin().loginPage("/login").permitAll()
.and().logout().logoutUrl("/logout").logoutSuccessHandler(ajaxAuthSuccessHandler).permitAll()
.and().httpBasic()
.and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class)
.csrf().csrfTokenRepository(csrfTokenRepository());
}

private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}


@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(securityUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
}

}

CsrfHeaderFilter.java

public class CsrfHeaderFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {

CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null && !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
}

最后我添加了一个 SecurityWebApplicationInitializer 作为指示 here .

SecurityWebApplicationInitializer.java

public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
@Override
protected void beforeSpringSecurityFilterChain(ServletContext servletContext) {
insertFilters(servletContext, new MultipartFilter());
}

}

我做错了什么?

更新:我添加了这个配置,但我仍然收到 403。

@Configuration
public class MultipartUploadConfig {

@Bean(name = "filterMultipartResolver")
public MultipartResolver multipartResolver() {
return new CommonsMultipartResolver();
}
}

最佳答案

如果您愿意将 CSRF token 作为 url 参数发送,这是一个快速解决方案。在您的 html 模板中。

<form .... th:action="@{/upload(${_csrf.parameterName}=${_csrf.token})}">
...
</form>

关于java - Spring Boot + Security - 启用 CSRF 时无法上传文件(多部分),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31630859/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com