2017-04-20 2 views
-1

jsp 페이지에서 내 컨트롤러로 데이터를 게시하려면 http 게시를 사용하고 싶습니다. 문제는 csrf를 활성화 할 때 요청이 전송되지 않았지만 csrf를 활성화하려는 것입니다.csrf 보안 블록 http 요청

home.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" 
    pageEncoding="ISO-8859-1"%> 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> 
<html> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.0/jquery.min.js"></script> 
<title>Insert title here</title> 
</head> 
<body> 
hello there !!!<br> 
<button type="button" onclick="location.href='${pageContext.request.contextPath}/create';"> start workflow</button> <br> 
<button type="button" onclick="location.href='${pageContext.request.contextPath}/workflows';"> View Workflows</button> <br> 
<button type="button" onclick="sendDataWithJson();"> View data</button> <br> 

<a href="${pageContext.request.contextPath}/login">login</a> 



    <p>Parameter from home ${pageContext.request.userPrincipal.name}</p> 
</body> 

<script type="text/javascript"> 
function success(data){ 
    alert("success"); 
} 
function error(data){ 
    alert("error"); 
} 
function sendDataWithJson(){ 

$.ajax({ 
    type: 'POST', 
    url: '<c:url value="/sendmessage" />', 
    data: JSON.stringify({"text":"bla bla bla","name":"MED"}), 
    success:success, 
    error:error, 
    contentType: "application/json", 
    dataType: "json" 

}); 

} 


</script> 
</html> 

springsecurity.xml

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd 
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd"> 


    <security:authentication-manager> 
       <security:ldap-authentication-provider 
      user-search-filter="(uid={0})" user-search-base="ou=users" 
      group-search-filter="(uniqueMember={0})" group-search-base="ou=groups" 
      group-role-attribute="cn" role-prefix="ROLE_" /> 
    </security:authentication-manager> 
    <security:ldap-server url="ldap://localhost:8389/o=mojo" 
     manager-dn="uid=admin,ou=system" manager-password="secret" /> 
    <security:http use-expressions="true"> 


     <security:intercept-url pattern="/" access="permitAll"/> 
     <security:intercept-url pattern="/next" access="permitAll" /> 
     <security:intercept-url pattern="/workflows" access="isAuthenticated()"/> 
     <security:intercept-url pattern="/getmessages" access="isAuthenticated()"/> 
     <security:intercept-url pattern="/sendmessage" access="permitAll"/> 


     <security:form-login login-page="/login" 
     login-processing-url="/login" 
     authentication-failure-url="/login.html?error=true" 
      username-parameter="username" 
      password-parameter="password" 

      /> 
       <security:csrf/> 
    </security:http> 
</beans> 

컨트롤러

@RequestMapping(value = "/sendmessage" , method=RequestMethod.POST , produces="application/json") 
    @ResponseBody 
    public Map<String, Object> getData(@RequestBody Map<String, Object> data){ 
     String text=(String) data.get("text"); 
     String name=(String) data.get("name"); 
     System.out.println(text+","+name); 
     Map<String, Object>rval = new HashMap<String, Object>(); 
     rval.put("success",true); 
     return rval; 

    } 

답변

2

당신은 당신이 jsp을 사용하는 경우 html로하는 csrf 값을 추가 할 수 있습니다

,
<meta name="_csrf_param" content="${_csrf.parameterName}"/> 
<meta name="_csrf" content="${_csrf.token}"/> 
<!-- default header name is X-CSRF-TOKEN --> 
<meta name="_csrf_header" content="${_csrf.headerName}"/> 

그러면 세션의 값이 crsf이됩니다.

$(function() { 
    var token = $("meta[name='_csrf']").attr("content"); 
    var header = $("meta[name='_csrf_header']").attr("content"); 
    $(document).ajaxSend(function(e, xhr, options) { 
     xhr.setRequestHeader(header, token); 
    }); 
}); 
: 당신이 ajax를 사용하는

지금, 당신은 당신이 jquery을 확장 할 수 있습니다, 헤더에 csrf 토큰을 추가해야합니다