如何将令牌授权和CRSF结合起来？

Question

我正在开发一个由以下内容组成的web应用程序

• Rest服务(Spring 4) \ JWT令牌身份验证
• 网页(login.xhtml，index.xhtml) (JSF，primeface)

我现在面临的问题很奇怪。

如果启用了spring安全性，则在授予访问权限之前，需要对rest web服务的任何访问进行身份验证。我在登录时使用JWT令牌身份验证。然而，我的网页将失败后，我登录。也就是说，我的登录是成功的，但是在此之后的任何操作都会导致invalid crsf token or null request error.

如果我的spring安全性被禁用，我的rest服务不需要经过身份验证才能访问web服务，但是我的web页面工作得非常好。

如何将这两种解决方案集成在一起？

我所有的网页都包括以下内容：

<input type="hidden" name="${_csrf.parameterName}"
                value="${_csrf.token}" />

ApplicationContext-Security.xml：

<http pattern="/auth/login" security="none" />
    <http pattern="/login.xhtml" security="none" />
    <http pattern="/index.xhtml" security="none" />
    <http pattern="/javax.faces.resource/**" security="none" />
    <http pattern="/RES_NOT_FOUND" security="none" />
    <http pattern="/img/**" security="none" />

    <sec:http auto-config="false" create-session="stateless" entry-point-ref="customEntryPoint" use-expressions="true">
        <intercept-url pattern="/admin/**"          access="hasRole('ADMIN') or hasRole('HQ')" />
        <intercept-url pattern="/audit/**"          access="hasRole('ADMIN')" />
        <intercept-url pattern="/request/**"        access="hasRole('ADMIN') or hasRole('HQ')" />
        <intercept-url pattern="/reporting/**"      access="hasRole('ADMIN') or hasRole('HQ')" />

        <sec:custom-filter ref="customAuthenticationFilter"
            before="PRE_AUTH_FILTER" />

<!--        <sec:csrf disabled="true" /> -->
    </sec:http>

如您所见，我包含了<http pattern="/index.xhtml" security="none" />，以便允许index.xhtml中的哪些特性工作。但是现在我可以直接访问index.xhtml了。

有人能建议怎么解决这个问题吗？

=====编辑。更多信息=====

添加，这是我的登录页面和控制器。

login.xhtml：

<html lang="en" xmlns="http://www.w3.org/1999/xhtml"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:ui="http://java.sun.com/jsf/facelets">

<h:head>
    <title>BTS Upload</title>
    <h:outputStylesheet library="css" name="bootstrap.min.css" />
    <h:outputScript library="js" name="jquery-1.11.1.min.js" />
    <h:outputScript library="js" name="bootstrap.min.js" />
</h:head>

<!-- Css here -->

<h:body>
    <font color="red"> <h:outputLabel
            value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />
    </font>

    <div class="container">
        <div class="row">
            <div class="col-sm-6 col-md-4 col-md-offset-4">
                <h1 class="text-center login-title">Sign in</h1>
                <div class="account-wall">

                    <h:graphicImage class="profile-img" library="images"
                        name="photo.png" />

                    <h:form class="form-signin">
                        <h:outputLabel value="Enter UserName:" />

                        <h:inputText id="username" value="#{loginAction.username}"
                            required="true" requiredMessage="Please enter your username"
                            autofocus="true" class="form-control"></h:inputText>

                        <h:message for="username" id="msg"
                            errorStyle="color:red; display:block" />

                        <br />
                        <h:outputLabel value="Enter Password:" />
                        <h:inputSecret id="password" value="#{loginAction.pwd}"
                            required="true" requiredMessage="Please enter your password"
                            class="form-control"></h:inputSecret>

                        <h:message for="password" id="msg1"
                            errorStyle="color:red; display:block" />

                        <br />
                        <br />

                        <h:commandButton class="btn btn-lg btn-primary btn-block"
                            action="#{loginAction.login}"
                            value="Login"></h:commandButton>

                        <input type="hidden" name="${_csrf.parameterName}"
                            value="${_csrf.token}" />

                    </h:form>
                </div>

            </div>
        </div>
    </div>
</h:body>
</html>

主计长：

@ManagedBean(name="loginAction")
@SessionScoped
public class LoginAction extends BaseAction implements Serializable
{
    private static final long serialVersionUID = 1094801825228386363L;

    private String pwd;
    private String msg;
    private String username;

    @ManagedProperty("#{accessControlService}")
    private AccessControlService accessControlService;

    public String getPwd()
    {
        return pwd;
    }

    public void setPwd(String pwd)
    {
        this.pwd = pwd;
    }

    public String getMsg()
    {
        return msg;
    }

    public void setMsg(String msg)
    {
        this.msg = msg;
    }

    public String getUsername()
    {
        return username;
    }

    public void setUsername(String user)
    {
        this.username = user;
    }

    //validate login and redirect to the specified website.
    public String login()
    {

        System.out.println();
        System.out.println("Call Log in");

        if (username.equals("") || pwd.equals(""))
        {
            FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_WARN,
                    "Incorrect Username and Password", "Please enter correct username and Password"));
            return "login";
        }

        boolean valid = false;
        String token = "";

        try
        {
            token = accessControlService.isAuthorizedUser(username, pwd, PropertiesUtil.LoginType.WEB_BTS.ordinal(), this.getRequest());
        }
        catch (Exception e)
        {
            FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_WARN,
                    "Error", e.getLocalizedMessage()));
        }

        if(token.contains(PropertiesUtil.TOKEN_HEADER))
        {
            valid = true;
        }

        if (valid)
        {
            HttpSession session = this.getSession();
            session.setAttribute("username", username);
            session.setAttribute("token", token);

            return "admin";
        }
        else
        {
            FacesContext.getCurrentInstance().addMessage(null, new FacesMessage(FacesMessage.SEVERITY_WARN,
                    "Incorrect Username and Password", "Please enter correct username and Password"));
            return "login";
        }
    }

    // logout event, invalidate session
    public String logout()
    {
        System.out.println("**********************************************************");
        try
        {
            accessControlService.logout(getUsername(), PropertiesUtil.LoginType.WEB_BTS.ordinal(), getRequest());
            HttpSession session = this.getSession();
            session.invalidate();
        }
        catch (Exception e)
        {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        return "login";
    }

    public AccessControlService getAccessControlService()
    {
        return accessControlService;
    }

    public void setAccessControlService(AccessControlService accessControlService)
    {
        this.accessControlService = accessControlService;
    }
}

Answer 1

首先，您必须确保spring安全4兼容*-security.xml和*-servlet.xml 看看这个

从您发布的部分security.xml中，我可以看到您没有表单登录标记。应该是这样的

<security:form-login default-target-url="/index"
                         login-page="/login"
                         username-parameter="j_username"
                         password-parameter="j_password"
                         login-processing-url="/j_spring_security_check"
                         authentication-failure-url="/login?login_error=1"/>

您的登录jsp需要有操作j_spring_security_check来触发筛选链：

<form action="<c:url value="/j_spring_security_check"/>" method="POST"> ... 

您不需要csrf隐藏输入，因为spring从spring 4开始自动将其注入请求头和参数(如果没有禁用的话)。