英文:
Spring-Boot Post request with csrf header
问题
以下是您提供的内容的翻译部分:
在开发我的Spring Boot应用程序时,我禁用了csrf;但现在我需要启用它。我按照Spring文档这里所示进行操作,但在我的JavaScript文件中进行POST请求时,我不断收到"SyntaxError: Invalid header name."的错误。我在这里做了一些明显错误的事情吗?
这是在HTML页面顶部的Header中的函数:
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
这是进行请求的JavaScript文件:
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
location.reload();
}
}
// 用于CSRF保护的Headers
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
request.open("POST", "/admin/delete-email");
request.setRequestHeader(header, token); // <-- 此行抛出语法错误。
request.send(formData);
这是安全配置:
@Override
public void configure(HttpSecurity http) throws Exception {
// 以下代码片段打开整个应用程序
// http.authorizeRequests().antMatchers("/**").permitAll();
//http.csrf().disable();
http.authorizeRequests()
.antMatchers("/admin/**")
.hasRole("ADMIN")
.antMatchers("/db/**")
.hasRole("ADMIN")
.and()
.formLogin()
.permitAll()
.and()
.httpBasic();
}
当使用表单进行POST请求时,我还会收到403错误:
<form method="POST" enctype="multipart/form-data" action="/admin/add-email">
<td class="tg-0pky"><input type="text" name="employeeId"/></td>
<td class="tg-0pky"><input type="text" name="email"/></td>
<td class="tg-0pky"><input type="submit" value="Upload"/></td>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
英文:
When developing my Spring Boot app, I had csrf disabled; but now I need to enable it. I followed the Spring Docs here but I keep getting a "SyntaxError: Invalid header name." in my javascript file making the POST request. Am I doing something obviously wrong here?
This is in my Header at the top of the HTML page for this function:
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
This is the JavaScript file making the request:
var request = new XMLHttpRequest();
request.onreadystatechange = function() {
if (request.readyState == XMLHttpRequest.DONE) {
location.reload();
}
}
// Headers for CSRF protection
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
request.open("POST", "/admin/delete-email");
request.setRequestHeader(header, token); <-- This line throws syntax error.
request.send(formData);
Here is the security configuration:
@Override
public void configure(HttpSecurity http) throws Exception {
// The following snippet opens the entire app
// http.authorizeRequests().antMatchers("/**").permitAll();
//http.csrf().disable();
http.authorizeRequests()
.antMatchers("/admin/**")
.hasRole("ADMIN")
.antMatchers("/db/**")
.hasRole("ADMIN")
.and()
.formLogin()
.permitAll()
.and()
.httpBasic();
}
I also get a 403 error when making a POST request using a Form:
<form method="POST" enctype="multipart/form-data" action="/admin/add-email">
<td class="tg-0pky"><input type="text" name="employeeId"/></td>
<td class="tg-0pky"><input type="text" name="email"/></td>
<td class="tg-0pky"><input type="submit" value="Upload"/></td>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
答案1
得分: 1
<meta th:name="csrf" th:content="${_csrf.token}"/>
<meta th:name="csrf_header" th:content="${_csrf.headerName}"/>
and
<form method="POST" enctype="multipart/form-data" action="/admin/add-email">
<td class="tg-0pky"><input type="text" name="employeeId"/></td>
<td class="tg-0pky"><input type="text" name="email"/></td>
<td class="tg-0pky"><input type="submit" value="Upload"/></td>
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
</form>
英文:
Figured it out. Since I am using Thymeleaf I need to use th: namespaces.
<meta th:name="_csrf" th:content="${_csrf.token}"/>
<meta th:name="_csrf_header" th:content="${_csrf.headerName}"/>
and
<form method="POST" enctype="multipart/form-data" action="/admin/add-email">
<td class="tg-0pky"><input type="text" name="employeeId"/></td>
<td class="tg-0pky"><input type="text" name="email"/></td>
<td class="tg-0pky"><input type="submit" value="Upload"/></td>
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
</form>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论