spring - 403禁止的无效CSRF(403 Forbidden Invalid CSRF)

Question

I am building a web app using spring security and thymeleaf, I got it work with login and logout, but I have some issues when I try to register as an end user.

(我正在使用Spring Security和thymeleaf构建一个Web应用程序，可以通过登录和注销使用它，但是在尝试注册为最终用户时遇到了一些问题。)

I am getting an invalid csrf token error.

(我收到无效的csrf令牌错误。)

I am new to this, and I could use some help.

(我对此并不陌生，可以寻求帮助。)

My question is how can I attach a token to that request?(Post /registration) By the way I haven't used any XML, I use annotations.

(我的问题是如何将令牌附加到该请求？（发布/注册）我没有使用任何XML，而是使用了注释。)

This is the request

(这是要求)

    $scope.registerUser = function() {
      $http.post(BASE_URL + "/registration", $scope.registrationRequest).
          success(function (data, status, headers, config) {
            $log.info("Success: " + headers('Location'));
            $scope.hasRegistered = true;
          }).error(function(data, status, headers, config) {
             $scope.hasRegisterErrors = true;
             $log.info("Error: status =" + status + ", body =" + JSON.stringify(data));
          });
  }

And the error

(和错误)

    Error: status =403, body ={"timestamp":1430645356572,"status":403,"error":"Forbidden","message":"Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/registration"}

  ask by SavvasM translate from so

Answer 1

The response message is telling you that the server expects your POST request to include either a "_csfr" parameter or an "X-CSRF-TOKEN" header.

(响应消息告诉您服务器希望您的POST请求包含“ _csfr”参数或“ X-CSRF-TOKEN”标头。)

Presumably, your server has CSFR protection enabled.

(大概您的服务器已启用CSFR保护。)

This is default behaviour with Spring Security though you can disable it.

(这是Spring Security的默认行为，尽管您可以将其禁用。)

(I wouldn't recommend doing that.)

(（我不建议您这样做。）)

The Cross Site Request Forgery (CSRF) chapter of the Spring Security documentation explains what this is all about.

(Spring Security文档的“ 跨站点请求伪造（CSRF）”一章说明了所有内容。)

This section explains how to implement CSRF tokens, including examples that how to embed the token in an HTML <form> or include it in an AJAX request.

(本节说明如何实现CSRF令牌，包括示例如何将令牌嵌入HTML <form>或将其包含在AJAX请求中的示例。)