Simple example of Spring Security with Thymeleaf

前端未结
关注
 5  484
感情败类 2020-12-25 14:57
hi I\'m trying to follow a simple example about doing a simple login form page that i found in this page http://docs.spring.io/autorepo/docs/spring-security/4.0.x/guid

      
      
        
          5条回答        

        
                    
            
            
                         
                
              
              
                
                   春和景丽
                                             
                
                
                (楼主)
            
              
              
                2020-12-25 15:40
              

            
            
                        
From the Spring Security documentation


  CSRF protection is enabled by default with Java configuration. If you
  would like to disable CSRF, the corresponding Java configuration can
  be seen below. Refer to the Javadoc of csrf() for additional
  customizations in how CSRF protection is configured.


And, when CSRF protection is enabled


  The last step is to ensure that you include the CSRF token in all
  PATCH, POST, PUT, and DELETE methods.


In your case:  


you have CSRF protection enabled by default (because you are using Java configuration),  
you are submitting the login form using an HTTP POST and  
are not including the CSRF token in the login form.  For this reason, your login request is denied upon submission because the CSRF protection filter cannot find the CSRF token in the incoming request.


You have already determined the possible solutions:


Disable CSRF protection as http.csrf().disable(); or
Include the CSRF token in the login form as a hidden parameter.


Since you are using Thymeleaf, you will have to do something like the following in your HTML template for the login page:

               
  

    

    ...
  



Note that you must use th:action and not HTML action as the Thymeleaf CSRF processor will kick-in only with the former.

You could change the form submission method to GET just to get over the problem but that isn't recommended since the users are going to submit sensitive information in the form.

I typically create a Thymeleaf fragment that is then used in all pages with forms to generate the markup for the forms with the CSRF token included.  This reduces boilerplate code across the app.



Using @EnableWebMvcSecurity instead of @EnableWebSecurity to enable automatic injection of CSRF token with Thymeleaf tags. Also use 
 instead of  with Spring 3.2+ and Thymeleaf 2.1+ to force Thymeleaf to include the CSRF token as a hidden field automatically (source Spring JIRA).
    
             
                                                        
            
            
              
                
                0
              
                   
                
               讨论(0)
              
                                                  
              
              
                          
             
       
          
              
                                       
     查看其它5个回答


            
                         
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
                              			
        
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复