Introduction to SpringSecurity's method of handling CSRF attacks
- 不言forward
- 2019-03-06 15:37:513287browse
This article brings you an example explanation of Django's FBV and CBV. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.
CSRF Vulnerability Status
CSRF (Cross-site request forgery) cross-site request forgery, also known as One Click Attack or Session Riding, usually abbreviated as CSRF or XSRF is a malicious use of a website. Although it sounds like cross-site scripting (XSS), it is very different from XSS, which exploits trusted users within a site, and CSRF, which exploits trusted websites by masquerading as requests from trusted users. Compared with XSS attacks, CSRF attacks tend to be less popular (so resources to prevent them are also quite scarce) and difficult to prevent, so they are considered more dangerous than XSS.
CSRF is an obfuscated proxy attack that relies on web browsers.
POM dependency
<!-- 模板引擎 freemarker --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-freemarker</artifactId> </dependency> <!-- Security (只使用CSRF部分) --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> </dependency>
Configuration filter
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
/**
* 配置CSRF过滤器
*
* @return {@link org.springframework.boot.web.servlet.FilterRegistrationBean}
*/
@Bean
public FilterRegistrationBean<CsrfFilter> csrfFilter() {
FilterRegistrationBean<CsrfFilter> registration = new FilterRegistrationBean<>();
registration.setFilter(new CsrfFilter(new HttpSessionCsrfTokenRepository()));
registration.addUrlPatterns("/*");
registration.setName("csrfFilter");
return registration;
}
}
Add CSRF hidden fields in the form request
<input name="${(_csrf.parameterName)!}" value="${(_csrf.token)!}" type="hidden" />
Add header in AJAX request
xhr.setRequestHeader("${_csrf.headerName}", "${_csrf.token}");
jQuery’s Ajax global configuration
jQuery.ajaxSetup({
"beforeSend": function (request) {
request.setRequestHeader("${_csrf.headerName}", "${_csrf.token}");
}
});The above is the detailed content of Introduction to SpringSecurity's method of handling CSRF attacks. For more information, please follow other related articles on the PHP Chinese website!