2

我们正在为库存系统项目(学校)创建一个 Java 客户端来与 Ruby on Rails 服务器交互。

我们使用的客户端应该使用 HTTP GET 来请求信息,使用 HTTP POST 来更新或创建新信息(是的,我们知道 HTTP PUT ......)。

不幸的是,当我们尝试进行 HTTP 发布时,我们遇到了 InvalidAuthenticityToken 错误。我们通过 HTTP 基本身份验证进行身份验证,我们的控制器如下所示:

class UsersController < ApplicationController

  before_filter :authenticate

  def show
    @user = User.find(params[:id])
    #@user = User.all
    render :xml => @user.to_xml
  end

  def update
    @user = User.find(params[:id])

    if @user.update_attributes(params[:user])
      render :text => 'Success!'
    else
      render :text => 'No success!'
    end
  end

private
  def authenticate
    logger.info("Entering Authen..")
    authenticate_or_request_with_http_basic do |username, password|
      logger.info("Time: #{Time.now}, username: #{username}, password: #{password}")
      User.authenticate(username, password)
    end
  end

end

show 动作完美运行,身份验证动作由有效的用户名和密码触发(例如,工作正常......)。当我们尝试对更新操作发布更新时,就会出现问题。当我们尝试它时,我们得到一个 InvalidAuthenticityToken 异常。以下来自我们的开发日志:

#Successful GET
Processing UsersController#show (for 10.18.2.84 at 2010-11-24 19:02:42) [GET]
  Parameters: {"id"=>"2"}
Entering Authen..
Filter chain halted as [:authenticate] rendered_or_redirected.
Completed in 3ms (View: 2, DB: 0) | 401 Unauthorized [http://10.18.2.84/users/show/2]

Processing UsersController#show (for 10.18.2.84 at 2010-11-24 19:02:43) [GET]
  Parameters: {"id"=>"2"}
Entering Authen..
Time: Wed Nov 24 19:02:43 -0600 2010, username: admin, password: pass
  [4;36;1mUser Load (1.0ms)[0m   [0;1mSELECT * FROM "users" WHERE (user_name = 'admin' AND password = 'pass') LIMIT 1[0m
  [4;35;1mUser Load (0.0ms)[0m   [0mSELECT * FROM "users" WHERE ("users"."id" = 2) [0m
Completed in 18ms (View: 2, DB: 1) | 200 OK [http://10.18.2.84/users/show/2]

#Unsuccessful POST    
Processing UsersController#update (for 10.18.2.84 at 2010-11-24 19:03:06) [POST]
  Parameters: {"id"=>"2", "first-name"=>"Macky"}

ActionController::InvalidAuthenticityToken 
(ActionController::InvalidAuthenticityToken):

我们担心的是,它甚至没有尝试验证基本身份验证——据我们所知,它正在跳过过滤器和整个控制器。我们的代码在客户端中非常普通(为了便于理解,我们对其进行了编辑):

            DefaultHttpClient httpClient = new DefaultHttpClient();
        myCredentials = new UsernamePasswordCredentials( username, password );

        //Set Provider
        provider = new BasicCredentialsProvider();
        provider.setCredentials(scope, myCredentials);

        //Set Credentials
        httpClient.setCredentialsProvider( provider );

            ArrayList<NameValuePair> formparams = new ArrayList<NameValuePair>();
            formparams.add(new BasicNameValuePair("first-name", "Macky"));

            UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(formparams, "UTF-8");

            //Set the post
            post = new HttpPost( url );

            post.setEntity(formEntity);

            response = httpClient.execute( post );

那么,是 Rails 做错了,还是 Java Jakarta 客户端做错了?任何帮助是极大的赞赏。

4

1 回答 1

3

您是否在 POST 数据中包含 CSRF 令牌?

请参阅此链接:http ://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html

默认情况下protect_from_forgery是启用的,这使得 Rails 对任何非 GET 请求都需要一个真实性令牌。Rails 会自动在使用表单助手创建的表单中包含真实性令牌,但我猜因为您正在构建自己的表单来发布,所以您没有包含该令牌。

于 2010-11-25T01:36:29.047 回答