12

我有两个元数据(我使用的是百里香):

    <meta name="_csrf" th:content="${_csrf.token}" />
    <meta name="_csrf_header" th:content="${_csrf.headerName}" />

在我的测试控制器中,我这样做:

HttpSessionCsrfTokenRepository httpSessionCsrfTokenRepository = new HttpSessionCsrfTokenRepository();
CsrfToken csrfToken2 = httpSessionCsrfTokenRepository.generateToken(new MockHttpServletRequest());

CustomUser user = new CustomUser();
user.setName("foo");
user.setSurname("fooo");
List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new SimpleGrantedAuthority("role"));

UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("foo", "fooo", grantedAuthorities);
token.setDetails(user);     

MockHttpSession session = new MockHttpSession();
session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, new MockSecurityContext(token));
session.setAttribute("_csrf", csrfToken2);


this.mockMvc.perform(post("/foo/update")
            .param("param", "asdfasd")
            ....
            .session(session)
            )
        .andExpect(view().name(("foo/detail"))).andExpect(model().hasErrors())

当我运行测试时,我收到此错误(未找到令牌或为空):

org.springframework.web.util.NestedServletException:请求处理失败;嵌套异常是 org.thymeleaf.exceptions.TemplateProcessingException: 异常评估 SpringEL 表达式: "_csrf.token" (layout/default:4) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:979) at org. springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java: 843) 在 org.springframework.mock.web.MockFilterChain 的 javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 的 org.springframework.test.web.servlet.TestDispatcherServlet.service(TestDispatcherServlet.java:65) $ServletFilterProxy。

我找到了一个临时解决方案,但这不是一个好的解决方案..:

<th:block th:if="${_csrf}">
   <meta name="_csrf" th:content="${_csrf.token}" />
   <meta name="_csrf_header" th:content="${_csrf.headerName}" />
</th:block>
4

3 回答 3

20

要访问会话属性,您需要

th:text="${session._csrf.headerName}">
th:text="${session._csrf.token}">

春天百里香叶

如果您在测试中使用 MockMvc,您可以使用

mvc
.perform(post("/").with(csrf()))

网络安全

于 2016-02-29T19:41:26.187 回答
4

当 CSRF 选项被激活时,Spring Security 会创建一个_csrf对象,其中包含tokenheaderNameparameter作为属性。在 thymeleaf 中有两个地方可以使用 CSRF 保护:

  • 在标题部分使用元标记。

    <meta name="_csrf" th:content="${_csrf.token}" />
<meta name="_csrf_header" th:content="${_csrf.headerName}" />

  • 使用表单中的隐藏字段。

    <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>

SecurityMockMvcRequestPostProcessors.csrf请求处理器的问题是它只创建一个字符串参数,没有属性,这与上面提到的 thymeleaf 代码不兼容:

    ...
    request.addHeader(token.getHeaderName(), tokenValue);
    ...
    request.setParameter(token.getParameterName(), tokenValue);

我的解决方法是制作一个自定义RequestPostProcessor,将令牌添加为请求属性而不是请求参数:

    package ...;

    import org.springframework.mock.web.MockHttpServletRequest;
    import org.springframework.mock.web.MockHttpServletResponse;
    import org.springframework.security.test.web.support.WebTestUtils;
    import org.springframework.security.web.csrf.CsrfToken;
    import org.springframework.security.web.csrf.CsrfTokenRepository;
    import org.springframework.test.web.servlet.request.RequestPostProcessor;

    /**
     * A request post processor to add <em>csrf</em> information.
     */
    public class CsrfRequestPostProcessor implements RequestPostProcessor {

        private boolean useInvalidToken = false;

        private boolean asHeader = false;


        @Override
        public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
            CsrfTokenRepository repository = WebTestUtils.getCsrfTokenRepository(request);
            CsrfToken token = repository.generateToken(request);
            repository.saveToken(token, request, new MockHttpServletResponse());
            String tokenValue = useInvalidToken ? "invalid" + token.getToken() : token
                    .getToken();
            if (asHeader) {
                request.setAttribute(token.getHeaderName(), token);
            }
            else {
                request.setAttribute(token.getParameterName(), token);
            }
            return request;
        }

        public RequestPostProcessor invalidToken() {
            this.useInvalidToken = true;
            return this;
        }

        public RequestPostProcessor asHeader() {
            this.asHeader = true;
            return this;
        }

        public static CsrfRequestPostProcessor csrf() {
            return new CsrfRequestPostProcessor();
        }
    }

您可以直接在MockMvc中使用此类:

mockMvc.perform(
        get("/security/winsso")
                .with(CsrfRequestPostProcessor.csrf())
                .param("xxx", XXX)
                .param("yyy", YYY))
        .andExpect(status().isOk());

如果您在 thymeleaf 中使用 header 选项,请注意asHeader

于 2016-07-25T08:31:07.440 回答
1

你可以

@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration
@WebAppConfiguration
public class CsrfShowcaseTests {

  @Autowired
  private WebApplicationContext context;

  @Autowired
  private Filter springSecurityFilterChain;

  private MockMvc mvc;

  @Before
  public void setup() {
      mvc = MockMvcBuilders
              .webAppContextSetup(context)
              .addFilters(springSecurityFilterChain)
              .build();
  }
@Test
public void verifiesHomePageLoads() throws Exception {
    mockMvc.perform(MockMvcRequestBuilders.get("/index"))
            .andExpect(MockMvcResultMatchers.model().hasNoErrors())
            .andExpect(MockMvcResultMatchers.model().attributeExists("word"))
            .andExpect(MockMvcResultMatchers.model().attributeExists("w"))
            .andExpect(MockMvcResultMatchers.model().attributeExists("mobil"))
            .andExpect(MockMvcResultMatchers.view().name("/index"))
            .andExpect(MockMvcResultMatchers.status().isOk());

}

}

百里香代码:

 <form id="suggetWord" name="suggetWord" data-th-action="@{/suggest-word(${_csrf.parameterName}=${_csrf.token})}" ></form>
 <form class="mainForm" th:id="word-search" th:name="word-search" data-th-action="@{/word-search(${_csrf.parameterName}=${_csrf.token})}"  > </form>
于 2017-04-14T21:23:51.563 回答