Spring-Boot带有CSRF标头的POST请求

huangapple go评论71阅读模式
英文:

Spring-Boot Post request with csrf header

问题

以下是您提供的内容的翻译部分:

在开发我的Spring Boot应用程序时,我禁用了csrf;但现在我需要启用它。我按照Spring文档这里所示进行操作,但在我的JavaScript文件中进行POST请求时,我不断收到"SyntaxError: Invalid header name."的错误。我在这里做了一些明显错误的事情吗?

这是在HTML页面顶部的Header中的函数:

<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>

这是进行请求的JavaScript文件:

var request = new XMLHttpRequest();
request.onreadystatechange = function() {
  if (request.readyState == XMLHttpRequest.DONE) {
      location.reload();
  }
}

// 用于CSRF保护的Headers
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");

request.open("POST", "/admin/delete-email");
request.setRequestHeader(header, token);  // <-- 此行抛出语法错误。
request.send(formData);

这是安全配置:

@Override
public void configure(HttpSecurity http) throws Exception {
  // 以下代码片段打开整个应用程序
  // http.authorizeRequests().antMatchers("/**").permitAll();

  //http.csrf().disable();
  http.authorizeRequests()
    .antMatchers("/admin/**")
    .hasRole("ADMIN")
    .antMatchers("/db/**")
    .hasRole("ADMIN")
    .and()
    .formLogin()
    .permitAll()
    .and()
    .httpBasic();
}

当使用表单进行POST请求时,我还会收到403错误:

<form method="POST" enctype="multipart/form-data" action="/admin/add-email">
    <td class="tg-0pky"><input type="text" name="employeeId"/></td>
    <td class="tg-0pky"><input type="text" name="email"/></td>
    <td class="tg-0pky"><input type="submit" value="Upload"/></td>
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
英文:

When developing my Spring Boot app, I had csrf disabled; but now I need to enable it. I followed the Spring Docs here but I keep getting a "SyntaxError: Invalid header name." in my javascript file making the POST request. Am I doing something obviously wrong here?

This is in my Header at the top of the HTML page for this function:

&lt;meta name=&quot;_csrf&quot; content=&quot;${_csrf.token}&quot;/&gt;
&lt;meta name=&quot;_csrf_header&quot; content=&quot;${_csrf.headerName}&quot;/&gt;

This is the JavaScript file making the request:

var request = new XMLHttpRequest();
request.onreadystatechange = function() {
  if (request.readyState == XMLHttpRequest.DONE) {
      location.reload();
  }
}

// Headers for CSRF protection
var token = $(&quot;meta[name=&#39;_csrf&#39;]&quot;).attr(&quot;content&quot;);
var header = $(&quot;meta[name=&#39;_csrf_header&#39;]&quot;).attr(&quot;content&quot;);

request.open(&quot;POST&quot;, &quot;/admin/delete-email&quot;);
request.setRequestHeader(header, token);  &lt;-- This line throws syntax error.
request.send(formData);

Here is the security configuration:

@Override
public void configure(HttpSecurity http) throws Exception {
  // The following snippet opens the entire app
  // http.authorizeRequests().antMatchers(&quot;/**&quot;).permitAll();

  //http.csrf().disable();
  http.authorizeRequests()
    .antMatchers(&quot;/admin/**&quot;)
    .hasRole(&quot;ADMIN&quot;)
    .antMatchers(&quot;/db/**&quot;)
    .hasRole(&quot;ADMIN&quot;)
    .and()
    .formLogin()
    .permitAll()
    .and()
    .httpBasic();
  }

I also get a 403 error when making a POST request using a Form:

&lt;form method=&quot;POST&quot; enctype=&quot;multipart/form-data&quot; action=&quot;/admin/add-email&quot;&gt;
    &lt;td class=&quot;tg-0pky&quot;&gt;&lt;input type=&quot;text&quot; name=&quot;employeeId&quot;/&gt;&lt;/td&gt;
    &lt;td class=&quot;tg-0pky&quot;&gt;&lt;input type=&quot;text&quot; name=&quot;email&quot;/&gt;&lt;/td&gt;
    &lt;td class=&quot;tg-0pky&quot;&gt;&lt;input type=&quot;submit&quot; value=&quot;Upload&quot;/&gt;&lt;/td&gt;
    &lt;input type=&quot;hidden&quot; name=&quot;${_csrf.parameterName}&quot; value=&quot;${_csrf.token}&quot;/&gt;
&lt;/form&gt;

答案1

得分: 1

<meta th:name="csrf" th:content="${_csrf.token}"/>
<meta th:name="csrf_header" th:content="${_csrf.headerName}"/>

and

<form method="POST" enctype="multipart/form-data" action="/admin/add-email">
<td class="tg-0pky"><input type="text" name="employeeId"/></td>
<td class="tg-0pky"><input type="text" name="email"/></td>
<td class="tg-0pky"><input type="submit" value="Upload"/></td>
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
</form>

英文:

Figured it out. Since I am using Thymeleaf I need to use th: namespaces.

&lt;meta th:name=&quot;_csrf&quot; th:content=&quot;${_csrf.token}&quot;/&gt;
&lt;meta th:name=&quot;_csrf_header&quot; th:content=&quot;${_csrf.headerName}&quot;/&gt;

and

&lt;form method=&quot;POST&quot; enctype=&quot;multipart/form-data&quot; action=&quot;/admin/add-email&quot;&gt;
  &lt;td class=&quot;tg-0pky&quot;&gt;&lt;input type=&quot;text&quot; name=&quot;employeeId&quot;/&gt;&lt;/td&gt;
  &lt;td class=&quot;tg-0pky&quot;&gt;&lt;input type=&quot;text&quot; name=&quot;email&quot;/&gt;&lt;/td&gt;
  &lt;td class=&quot;tg-0pky&quot;&gt;&lt;input type=&quot;submit&quot; value=&quot;Upload&quot;/&gt;&lt;/td&gt;
  &lt;input type=&quot;hidden&quot; th:name=&quot;${_csrf.parameterName}&quot; th:value=&quot;${_csrf.token}&quot;/&gt;
&lt;/form&gt;

huangapple
  • 本文由 发表于 2020年9月11日 06:44:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/63838591.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定