web-dev-qa-db-fra.com

Statut HTTP 403 - Jeton CSRF attendu introuvable. Votre session a-t-elle expiré?

J'utilise la sécurité de printemps 4.0.1. Dès que je me connecte, il affiche mon tableau de bord. Lorsque je clique sur quelque chose, la page d'erreur suivante s'affiche:

Statut HTTP 403 - Jeton CSRF attendu introuvable. Votre session a-t-elle expiré?

J'ai fait quelques recherches à ce sujet et il indique que je dois ajouter ceci http.csrf (). Disable (). Je ne suis pas en mesure de l'ajouter car il me dit que la méthode est indéfinie pour le type httpsecurity.

Veuillez trouver ci-dessous le code de configuration:

 @Configuration
 @EnableWebSecurity
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {


    @Autowired
    @Qualifier("userDetailsServiceImpl")
    UserDetailsService userDetailsService;

    @Autowired
    SuccessHandler successHandler;

    @Autowired
    FailureHandler failureHandler;


    @Autowired
     public void configureGlobalSecurity(AuthenticationManagerBuilder auth)   throws Exception {
    ShaPasswordEncoder encoder = new ShaPasswordEncoder();
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
    }

@Override
protected void configure(HttpSecurity http) throws Exception {

  http.authorizeRequests()
    .antMatchers("/login.xhtml").permitAll()
    .antMatchers("/pages/**").access("isAuthenticated()")
    .antMatchers("/run**").access("isAuthenticated()")
    .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
    .successHandler(successHandler)
    .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
    .usernameParameter("username")
    .passwordParameter("password")
    .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
  }
 }

Login.xhtml

  <!DOCTYPE html>
  <f:view>
   <h:head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
    </script><script src="js/jquery-1.js"></script>
    <script src="js/adpacks-demo.js" type="text/javascript"></script>
    <script src="js/bsa.js" type="text/javascript"></script>

   </h:head>
<h:body>
    <form id="login" action='#{request.contextPath}/login' method='POST'>
        <h1>Log In</h1>
        <fieldset id="inputs">
            <input id="username" type="text" name="username" placeholder="Username" />
            <input id="password" type="password" name="password" placeholder="Password" />
        </fieldset>
        <fieldset id="actions">
            <input type="hidden" name="${_csrf.parameterName}"  value="${_csrf.token}" />
            <input id="submit" value="Log in" type="submit"  /><a href="">Forgot your password?</a>
        </fieldset>
    </form>
</h:body>

MaConfiguration.Java

  @Configuration
  @EnableWebMvc
  @ComponentScan(basePackages = "com.car")
  public class MyConfiguration extends WebMvcConfigurerAdapter {



@Bean(name="HelloWorld")
public ViewResolver viewResolver() {
    InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
    viewResolver.setViewClass(JstlView.class);
    viewResolver.setPrefix("/web-inf");
    viewResolver.setSuffix(".xhtml");

    return viewResolver;
}

/*
 * Configure ResourceHandlers to serve static resources like CSS/ Javascript etc...
 */
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
    registry.addResourceHandler("/webapp/**").addResourceLocations("/webapp/");
}

}

SecurityWebApplicationInitializer.Java

  public class SecurityWebApplicationInitializer extends   AbstractSecurityWebApplicationInitializer {

  }

AppConfig.Java

   @Configuration
   public class AppConfig {
   @Bean
   public SuccessHandler successHandler() {
       return new SuccessHandler();
   }

   @Bean
   public FailureHandler failureHandler() {
       return new FailureHandler();
    }
    }

Web.xml

   <?xml version="1.0" encoding="UTF-8"?>
   <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xmlns="http://Java.Sun.com/xml/ns/javaee"    xmlns:web="http://Java.Sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://Java.Sun.com/xml/ns/javaee   http://Java.Sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">


 <context-param>
      <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
      <param-value>.xhtml</param-value>
 </context-param>

 <context-param>
    <param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name>
    <param-value>false</param-value>
 </context-param>

 <welcome-file-list>
    <welcome-file>login.xhtml</welcome-file>
 </welcome-file-list>
 <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
 </servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

 <context-param>
      <param-name>com.Sun.faces.expressionFactory</param-name>
      <param-value>com.Sun.el.ExpressionFactoryImpl</param-value>
 </context-param>

<servlet>
    <description>generated-servlet</description>
    <servlet-name>CAR Servlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:CAR-web-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<listener>
    <listener-class>
        org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>
<listener>
    <listener-class>
        org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>


<filter>
    <description>
        generated-spring-security-session-integration-filter
    </description>
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
    <filter-class>
        org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class>
</filter>
<filter>
    <description>generated-persistence-filter</description>
    <filter-name>CARFilter</filter-name>
    <filter-class>
        org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
    <init-param>
        <param-name>entityManagerFactoryBeanName</param-name>
        <param-value>CAR</param-value>
    </init-param>
</filter>
<filter>
    <description>generated-sitemesh-filter</description>
    <filter-name>Sitemesh Filter</filter-name>
    <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
</filter>

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param> 
        <param-name>contextAttribute</param-name> 
        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher‌​</param-value> 
    </init-param>
</filter>

<filter-mapping>
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>HRBFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>Sitemesh Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<persistence-unit-ref>
    <persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name>
    <persistence-unit-name>CAR</persistence-unit-name>
  </persistence-unit-ref>

  <persistence-context-ref>
    <persistence-context-ref-name>persistence/CAR</persistence-context-ref-name>
    <persistence-unit-name>CAR</persistence-unit-name>
</persistence-context-ref>

</web-app>

Pom.xml

 <project xmlns="http://maven.Apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.Apache.org/POM/4.0.0 http://maven.Apache.org/maven-v4_0_0.xsd">


<properties>
    <spring.version>4.0.2.RELEASE</spring.version>
    <spring.security.version>3.2.5.RELEASE</spring.security.version>
</properties>

<dependencies>

    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
        <version>2.0.7.RELEASE</version>
    </dependency> 

    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>3.8.1</version>
        <scope>test</scope>
    </dependency>



    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-aspects</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-instrument</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-instrument-Tomcat</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-tx</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-jms</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-oxm</artifactId>
        <version>${spring.version}</version>
        <exclusions>
            <exclusion>
                <groupId>commons-lang</groupId>
                <artifactId>commons-lang</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-web</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc-portlet</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-struts</artifactId>
        <version>3.1.1.RELEASE</version>
        <exclusions>
            <exclusion>
                <groupId>xalan</groupId>
                <artifactId>xalan</artifactId>
            </exclusion>
            <exclusion>
                <groupId>oro</groupId>
                <artifactId>oro</artifactId>
            </exclusion>
            <exclusion>
                <groupId>commons-digester</groupId>
                <artifactId>commons-digester</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-beans</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context-support</artifactId>
        <version>${spring.version}</version>
    </dependency>


    <dependency>   <!-- Usata da Hibernate 4 per LocalSessionFactoryBean -->
        <groupId>org.springframework</groupId>
        <artifactId>spring-orm</artifactId>
        <version>3.1.0.RELEASE</version>
    </dependency>


    <dependency>
        <groupId>org.aspectj</groupId>
        <artifactId>aspectjweaver</artifactId>
        <version>1.6.9</version>
    </dependency>

    <dependency>
        <groupId>cglib</groupId>
        <artifactId>cglib-nodep</artifactId>
        <version>2.2</version>
    </dependency>

    <dependency>
        <groupId>commons-pool</groupId>
        <artifactId>commons-pool</artifactId>
        <version>1.5.3</version>
    </dependency>


    <dependency>
        <groupId>commons-collections</groupId>
        <artifactId>commons-collections</artifactId>
        <version>3.2</version>
    </dependency>

    <dependency>
        <groupId>commons-httpclient</groupId>
        <artifactId>commons-httpclient</artifactId>
        <version>3.1</version>
    </dependency>


    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-aop</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-expression</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-beans</artifactId>
            </exclusion>

            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>

        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-tx</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-web</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-aop</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-jdbc</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-beans</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-expression</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-acl</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-aop</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-jdbc</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-tx</artifactId>
            </exclusion>
        </exclusions>
    </dependency>


    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-aspects</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-beans</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-cas</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-ldap</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-openid</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>com.google.inject</groupId>
                <artifactId>guice</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-remoting</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
        <version>${spring.security.version}</version>
    </dependency>


</project>
6
Alina

http.csrf().disable(); devrait être ajouté dans votre classe public class SecurityConfiguration extends WebSecurityConfigurerAdapter

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
        .antMatchers("/login.xhtml").permitAll()
        .antMatchers("/pages/**").access("isAuthenticated()")
        .antMatchers("/run**").access("isAuthenticated()")
        .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
        .successHandler(successHandler)
        .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
        .usernameParameter("username")
        .passwordParameter("password")
        .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);

    http.csrf().disable();
  }
 }

http.csrf().disable() est supporté dans la sécurité printanière 4.0.1 (j'ai consulté la doc 3.2.3, et il est déjà là Classe HttpSecurity )

Je pense qu'il y a quelque chose qui ne va pas dans votre configuration.
Merci de poster tout le code correspondant. par exemple. build.gradle pour Gradle ou pom.xml pour Maven, web.xml, tout le code de configuration de printemps, etc.

4
Vincent Pang

Je suppose que votre configuration implémente WebSecurityConfigurer (par exemple, en étendant WebSecurityConfigurerAdapter ). Si tel est le cas, vous pouvez définir http.csrf().disable(); dans la méthode de configuration écrasée. Vérifiez vos dépendances ou montrez-nous le code de configuration complet.

Cela étant dit, je vous suggère de ne pas le désactiver, mais de mettre en œuvre le bon usage. Jetez un coup d’œil à la documentation de sécurité de Spring comment utiliser le jeton CSRF.

Ce tutoriel } pourrait également être utile.

Mise à jour (pour votre question mise à jour):

Vous laissez votre classe MyConfiguration étendre WebMvcConfigurerAdapter (pour MVC).

Êtes-vous sûr à 100% que cela ne fonctionne pas? Parce que ça marche pour moi.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
    http.authorizeRequests().antMatchers("/login.xhtml").permitAll()
            .antMatchers("/pages/**").access("isAuthenticated()")
            .antMatchers("/run**").access("isAuthenticated()")
            .and()
            .formLogin()
            .loginProcessingUrl("/login")
            .loginPage("/login.xhtml")
            .successHandler(successHandler)
            .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
            .usernameParameter("username").passwordParameter("password")
            .and().sessionManagement().maximumSessions(2)
            .maxSessionsPreventsLogin(true);
}

Vous devez ajouter une autre classe de configuration qui étend la variable WebSecurityConfigurerAdapter (pour Spring Security). Dans cette configuration, vous pouvez remplacer la méthode SecurityConfigurer # configure (...) .

1
Ortwin Angermeier