如何在Spring Boot中获得CSRF令牌

发布于 2025-02-06 06:43:47 字数 1105 浏览 1 评论 0原文

我从请求中面临NULL CSRF令牌的问题。

//获取CSRF代币

object obj = request.getSession（）。getAttribute（websesserservercsrftokenrepository.class.getname（）.concat（“。csrf_token”））;

我们已经实现了以下CSRF生成的代码。

//用于生成CSRF代币

@Bean
 public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {

 http.csrf()
.csrfTokenRepository(new WebSessionServerCsrfTokenRepository())
.requireCsrfProtectionMatcher(getURLsForDisabledCSRF()).and()
.authorizeExchange()
.pathMatchers(ALLOWED_PATHS).permitAll()
.pathMatchers(ALLOWED_METHODS).permitAll()
.anyExchange()
.authenticated().and()
.securityContextRepository(NoOpServerSecurityContextRepository.getInstance()).formLogin().disable()
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and().csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()));
return http.build();
//.httpBasic().disable().formLogin().disable().build();
}

  Please help here I am stuck on this issue last 2 weeks.

提前感谢

原文

I am facing an issue with Null CSRF token from the request.

//For getting CSRF token

Object obj=request.getSession().getAttribute(WebSessionServerCsrfTokenRepository.class.getName() .concat(".CSRF_TOKEN"));

We have implemented below code for CSRF generating.

//For generating CSRF token

@Bean
 public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {

 http.csrf()
.csrfTokenRepository(new WebSessionServerCsrfTokenRepository())
.requireCsrfProtectionMatcher(getURLsForDisabledCSRF()).and()
.authorizeExchange()
.pathMatchers(ALLOWED_PATHS).permitAll()
.pathMatchers(ALLOWED_METHODS).permitAll()
.anyExchange()
.authenticated().and()
.securityContextRepository(NoOpServerSecurityContextRepository.getInstance()).formLogin().disable()
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and().csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()));
return http.build();
//.httpBasic().disable().formLogin().disable().build();
}

  Please help here I am stuck on this issue last 2 weeks.

Thanks in advance

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

温柔嚣张 2025-02-13 06:43:47

我们找到了从cookie读取令牌的解决方案。

csrftoken obj = new CookiecsrftokenRepository（）。loadToken（request）;

我们还在cookie中实现了XSRF-Token设置的WebFilter。

@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {

        String key=CsrfToken.class.getName();
        Mono<CsrfToken> csrfToken =null!=exchange.getAttribute(key) ? 
        exchange.getAttribute(key):Mono.empty();
        return csrfToken.doOnSuccess(token->{
            ResponseCookie cookie=ResponseCookie.from("XSRF-TOKEN", token.getToken()).maxAge(Duration.ofHours(1))
                    .httpOnly(false).path("/").build();
            //System.out.println("Cookie {} : "+cookie);
            exchange.getResponse().getCookies().add("XSRF-TOKEN", cookie);
        }).then(chain.filter(exchange));
                
}

We have find the solution for the reading the token from the cookie.

CsrfToken obj=new CookieCsrfTokenRepository().loadToken(request);

We have also implement the WebFilter for the XSRF-TOKEN setting in the cookie.

@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {

        String key=CsrfToken.class.getName();
        Mono<CsrfToken> csrfToken =null!=exchange.getAttribute(key) ? 
        exchange.getAttribute(key):Mono.empty();
        return csrfToken.doOnSuccess(token->{
            ResponseCookie cookie=ResponseCookie.from("XSRF-TOKEN", token.getToken()).maxAge(Duration.ofHours(1))
                    .httpOnly(false).path("/").build();
            //System.out.println("Cookie {} : "+cookie);
            exchange.getResponse().getCookies().add("XSRF-TOKEN", cookie);
        }).then(chain.filter(exchange));
                
}

回复收藏 0 原文

~没有更多了~