Geek asks and answers

How to enable Spring Redirect POST Security after logging in using CSRF?

I am using Spring Security 3.2 with CSRF. My configuration includes the following:

  <csrf />
  <form-login default-target-url="/defaultPage"/>

When a user submits a POST form (with a CSRF token) that requires authentication, he is redirected to the login page. Subsequently, instead of sending the request, the user is redirected defaultPageto Spring Security.

I suspect that the problem is that the CSRF token gets reset during login.

How can I get such a POST redirection after working in a log?

Refresh . I tried to create a custom one SavedRequestAwareAuthenticationSuccessHandlerto redirect to the original POST request. However, I saw that the original request was not even stored in requestCache.

+3
source share
4 answers

It appears that when CSRF protection is enabled, Spring Security only puts your original request in requestCacheif the request used the method GET. To have cache POSTrequests, I created a custom one requestCache.

I am not 100% sure that this will not weaken the protection of CSRF, but it seems to me safe.

Add the bean request cache to the XML configuration:

<bean id="requestCache" class="a.b.c.AlwaysSaveRequestCache" />

<http>
   <csrf />
   <request-cache ref="requestCache" />
</http>

Implement custom query cache by extending and borrowing code from HttpSessionRequestCache:

public class AlwaysSaveRequestCache extends HttpSessionRequestCache
{
   @Override
   public void saveRequest(HttpServletRequest request, HttpServletResponse response)
   {
      final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST";
      DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, new PortResolverImpl());
      request.getSession().setAttribute(SAVED_REQUEST, savedRequest);
      logger.debug("DefaultSavedRequest added to Session: " + savedRequest);
   }
}

Your requests POSTshould now be cached and resubmitted after the login form is interrupted.

+1
source

, HttpSessionRequestCache DefaultSavedRequest "multipart/form-data". Multipart , . , SavedRequest, URL- .

0

. CSRF , , CSRF token query params URL,

<c:url value="/jobseeker/resume/uploadJobSeekerResume1?${_csrf.parameterName}=${_csrf.token}" var="uploadResumeURL"/>
 <form:form action="${uploadResumeURL}" method="post" enctype="multipart/form-data">
                            <input id="file" name="file" type="file" />
                            <div class="modal-footer">
                            <button type="submit"  class="btn btn-success" >
                                <span class="glyphicon glyphicon-ok-sign"></span>&nbsp;Save
                            </button>

                        </div>
                        </form:form>
0

, - ... URL- ?

-1
source

More articles:


All Articles