1

我正在使用 spring-session 版本 1.0.0.M1 并且我已将其配置为使用MapSessionRepository: sessionFilterChainReg.addMappingForServletNames(EnumSet.of(DispatcherType.REQUEST), false, dispatcherServletReg.getName());

@Bean(name = {"defaultSessionFilter", "sessionFilter"})
public SessionRepositoryFilter sessionFilter() {
    return new SessionRepositoryFilter((SessionRepository) applicationContext.getBean("sessionRepository"));
}


@Bean(name = { "defaultSessionRepository", "sessionRepository" })
public SessionRepository defaultSessionRepository() {
    return new MapSessionRepository();
}

然后在网络配置中:

    final FilterRegistration sessionFilterChainReg = servletContext.addFilter("sessionFilter", DelegatingFilterProxy.class);

所以我在我的 register.jsp 中有以下输入隐藏元素:

<input type="hidden" id="${_csrf.parameterName}" name="${_csrf.parameterName}" value="${_csrf.token}"/>

我可以看到页面使用正确的 CSRF 令牌呈现。当我提交 POST 请求时,CSRF 过滤器被触发,并且令牌被正确传递给过滤器,它HttpSessionCsrfTokenRepository:loadToken在第 66 行调用 and ,我们看到:

HttpSession session = request.getSession(false);

现在会话为空,因此存储库返回一个空 CSRF 令牌,然后MissingCsrfTokenException抛出 a。还有什么我需要配置的吗?

这是第 66 行时的堆栈跟踪(还有很多,但我想这是它的相关部分):

at org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.loadToken(HttpSessionCsrfTokenRepository.java:66)
  at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:75)
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
  at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
  at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
  at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1632)
  at org.springframework.session.web.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:83)
  at org.springframework.session.web.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:66)
  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1632)
4

1 回答 1

1

发现了问题 - 我自己有一个Filterwhich WrappedHttpServletRequest对象并且过滤器在SessionRepositoryFilter. 我不确定这是正确的,但在SessionRepositoryFilter我这样做之后强制它开火:

@Bean(name = {"defaultSessionFilter", "sessionFilter"})
public Filter sessionFilter() {
    CompositeFilter compositeFilter = new CompositeFilter();
    compositeFilter.setFilters(Arrays.asList(new SessionRepositoryFilter((SessionRepository) applicationContext.getBean("sessionRepository")), applicationContext.getBean("myFilter")));

    return compositeFilter;
}

这解决了这个问题。

于 2014-10-09T12:54:56.457 回答