嗨,我正在尝试按照一个简单的例子来做一个我在这个页面中找到的简单登录表单页面 http://docs.spring.io/autorepo/docs/spring-security/4.0.x/guides/form.html
问题是我每次尝试登录时都会收到此错误我收到此错误: Expected CSRF token not found. Has your session expired?
当我收到此错误时,我按下浏览器中的后退按钮并尝试第二次登录,当我这样做时,我收到此错误: HTTP 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
在教程页面中是这条消息: We use Thymeleaf to automatically add the CSRF token to our form. If we were not using Thymleaf or Spring MVCs taglib we could also manually add the CSRF token using
"所以因为我也在使用百里香,我没有把这个标签添加到我的页面"
我找到了另一个解决方案,它的工作原理,这个解决方案是将此添加到我的安全配置类.csrf().disable()
这个解决方案有效,但我想这样做是为了禁用我的页面中的csrf保护,我不想禁用这种类型的保护.
这是我的security-config类:
@Configuration @EnableWebSecurity public class ConfigSecurity extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth .inMemoryAuthentication() .withUser("user").password("password").roles("USER"); } @Override protected void configure( HttpSecurity http ) throws Exception { http //.csrf().disable() is commented because i dont want disable this kind of protection .authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); } }
我的安全初始化器:
public class InitSecurity extends AbstractSecurityWebApplicationInitializer { public InicializarSecurity() { super(ConfigSecurity .class); } }
我的app-config类,我有我的百里香配置
@EnableWebMvc @ComponentScan(basePackages = {"com.myApp.R10"}) @Configuration public class ConfigApp extends WebMvcConfigurerAdapter{ @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler("/css/**").addResourceLocations("/css/**"); registry.addResourceHandler("/img/**").addResourceLocations("/img/**"); registry.addResourceHandler("/js/**").addResourceLocations("/js/**"); registry.addResourceHandler("/sound/**").addResourceLocations("/sound/**"); registry.addResourceHandler("/fonts/**").addResourceLocations("/fonts/**"); } @Override public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) { configurer.enable(); } @Bean public MessageSource messageSource() { ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource(); messageSource.setBasenames("classpath:messages/messages"); messageSource.setUseCodeAsDefaultMessage(true); messageSource.setDefaultEncoding("UTF-8"); messageSource.setCacheSeconds(0);// # -1 : never reload, 0 always reload return messageSource; } // THYMELEAF @Bean public ServletContextTemplateResolver templateResolver() { ServletContextTemplateResolver resolver = new ServletContextTemplateResolver(); resolver.setPrefix("/WEB-INF/views/pagLogin/"); resolver.setSuffix(".html"); resolver.setTemplateMode("HTML5"); resolver.setOrder(0); resolver.setCacheable(false); return resolver; } @Bean public SpringTemplateEngine templateEngine() { SpringTemplateEngine engine = new SpringTemplateEngine(); engine.setTemplateResolver( templateResolver() ); engine.setMessageSource( messageSource() ); return engine; } @Bean public ThymeleafViewResolver thymeleafViewResolver() { ThymeleafViewResolver resolver = new ThymeleafViewResolver(); resolver.setTemplateEngine( templateEngine() ); resolver.setOrder(1); resolver.setCache( false ); return resolver; } @Bean public SpringResourceTemplateResolver thymeleafSpringResource() { SpringResourceTemplateResolver vista = new SpringResourceTemplateResolver(); vista.setTemplateMode("HTML5"); return vista; } }
我的app-config初始化程序
public class InicializarApp extends AbstractAnnotationConfigDispatcherServletInitializer { @Override protected Class>[] getRootConfigClasses() { return null; } @Override protected Class>[] getServletConfigClasses() { return new Class[] { ConfigApp .class }; } @Override protected String[] getServletMappings() { return new String[]{"/"}; } @Override protected Filter[] getServletFilters() { return new Filter[] { new HiddenHttpMethodFilter() }; } }
我的登录控制器类
@Controller public class ControllerLogin { @RequestMapping(value = "/login", method = RequestMethod.GET) public String pageLogin(Model model) { return "login"; }
我家的控制器课
@Controller public class HomeController { @RequestMapping(value = "/", method = RequestMethod.GET) public String home(Model model) { return "home"; } }
我的login.html
Messages : Create
我的home.html页面只显示我登录后,我可以登录的唯一方法是在我的安全配置类中放置.csrf().disable()但我不想禁用该保护,如果我不放在我的安全配置类中,我得到了我在这个问题开头提到的错误.