rediscsrftokenrepository

rediscsrftokenrepository

我正在尝试在spring会话redis中添加csrf令牌,以便在集群中运行webapp。
Spring JavaCONFIG/XML(对于旧版本)的需要解决方案
我已经在为会话部分使用redishttpsessionconfiguration(在第一阶段实现)
我的网络安全配置是

package com.groupon.website.config;

import javax.servlet.FilterRegistration;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

private Logger logger = LogManager.getLogger(WebSecurityConfig.class);
@Autowired
@Qualifier("csrfSecurityRequestMatcher")
RequestMatcher csrfSecurityRequestMatcher;

@Autowired
@Qualifier("redisCsrfTokenRepository")
private  CsrfTokenRepository redisCsrfTokenRepository;

@Override
protected void configure(HttpSecurity http) throws Exception {
    logger.info("Inside WebSecurityConfig");

    //403 issue


    http.headers().xssProtection().and().csrf().requireCsrfProtectionMatcher(csrfSecurityRequestMatcher)
            .csrfTokenRepository(redisCsrfTokenRepository)
        ;

    }

  }

而csrftokenrepository是rediscsrftokenrepository
package com.groupon.website.config;


import java.util.UUID;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.session.ExpiringSession;
 import org.springframework.session.data.redis.RedisOperationsSessionRepository;
 import org.springframework.stereotype.Component;
 import org.springframework.util.SerializationUtils;

 import redis.clients.jedis.Jedis;

 @Component
 public class RedisCsrfTokenRepository implements         CsrfTokenRepository,InitializingBean {

private static final Logger log =           LoggerFactory.getLogger(RedisCsrfTokenRepository.class);

public static final String CSRF_PARAMETER_NAME = "_csrf";

public static final String CSRF_HEADER_NAME = "X-CSRF-TOKEN";

@Value("${redis.host.name}")
private String redisHostName;
@Value("${redis.port}")
private int redisPort;

private Jedis tokenRepository;

@Autowired
private JedisConnectionFactory jedisConnectionFactory;

//@Autowired
//private RedisOperationsSessionRepository sessionRepository;


 public RedisCsrfTokenRepository() {
    log.info("Creating {}", RedisCsrfTokenRepository.class.getSimpleName());

}

@Override
public CsrfToken generateToken(HttpServletRequest request) {
    return new DefaultCsrfToken(CSRF_HEADER_NAME, CSRF_PARAMETER_NAME, createNewToken());
}

@Override
public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
    String key = getKey(request);
    if (key == null)
        return;

    if (token == null) {
        //Use connection factory
        //tokenRepository.del(key.getBytes());
        jedisConnectionFactory.getConnection().del(key.getBytes());
    } else {
        //Use connection factory
        //tokenRepository.set(key.getBytes(), SerializationUtils.serialize(token));
        jedisConnectionFactory.getConnection().set(key.getBytes(), SerializationUtils.serialize(token));
    }

}

@Override
public CsrfToken loadToken(HttpServletRequest request) {
    String key = getKey(request);
    if (key != null) {
        //Use connection factory
        //byte[] tokenString = tokenRepository.get(key.getBytes());
        byte[] tokenString = jedisConnectionFactory.getConnection().get(key.getBytes());
        if (tokenString != null) {
            return (CsrfToken) SerializationUtils.deserialize(tokenString);
        }
    }
    return null;
}

private String getKey(HttpServletRequest request) {

    //getKey going to be changed
    HttpSession session = request.getSession(false);
    //RedisOperationsSessionRepository sessionRepository = new RedisOperationsSessionRepository(redisConnectionFactory)

    //ExpiringSession session = sessionRepository.getSession(request.getSession().getId());
    if (session == null) {
        return null;
    }

    String result = session.getId()+CSRF_PARAMETER_NAME;
    //String result = request.getHeader("X-CSRF-TOKEN");
    return result;
}

private String createNewToken() {
    return UUID.randomUUID().toString();
}

@Override
public void afterPropertiesSet() throws Exception {
    tokenRepository = new Jedis(redisHostName, redisPort, 30000);
}
}

(没有使用tokenrpository,我只是复制粘贴代码,但使用的是jedisconnectionfatcory)
我仍然间歇性地得到403,以表明没有获得csrf令牌。
只显示了Java配置。有人能帮我一下吗?

最佳答案

我们通过将rediscsrftokenrepository更改为从而不是从

HttpSession session = request.getSession(false);

我们正在使用
Cookie sessionCookies = WebUtil.getCookie (request, WebAppConstants.SESSION);


if (sessionCookies == null || sessionCookies.getValue() == null) {
    return null;
}

String sessionId = sessionCookies.getValue();

因为我们用的是有效的饼干。
在管道中,更改DefaultSessionFilter,以便不需要进行此更改。

10-07 16:32