问题
My project was using Spring Security 3.2.0.RC2 and my JSP's used the Spring taglib's form:form tag to automatically insert the CSRF token into my forms.
After upgrading to Spring Security 3.2.0.RELEASE, I'm finding that the form:form tag no longer automatically inserts the CSRF token into my form, and that I now must manually add it via placing this in my form: <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
Has anyone else encountered the same issue? If so, what did you do for a workaround? Thanks.
回答1:
You need to ensure you are using the @EnableWebMvcSecurity annotation instead of the @EnableWebSecurity annotation as described in Hello Spring MVC Security Java Config. The reason adding the new annotation was to resolve SEC-2436. You will notice that SEC-2463 was added to better document this within the CSRF part of the reference.
来源:https://stackoverflow.com/questions/21195615/upgrading-spring-security-to-3-2-0-release-no-longer-provides-csrf-token-in-spri