"Problem description"
The project uses Spring-boot + spring-security, the page uses the Thymeleaf template page code as follows:
<form method= "POST" action= "/login" >
username: <input type= "text" name= "username"/> <br/>
Password: <input type= "password" name= "password"/> <br/>
<button type= "Submit" > Submit</button>
</form>
Login Operation code:
/**
* Login operation;
*
* @param userName username;
* @param password password;
* @param modelmap
* @param session
* @return
*
/@RequestMapping (value = "/login", method = requestmethod.post) public
String Dologin (@ Requestparam (value = "UserName", required = True) String userName,
@RequestParam (value = "password", required = True) String password,
modelmap Modelmap, HttpSession session) {
//Login processing logic (omitted here);
}
Login Page
It should have been a simple commit, but an error occurred after clicking Submit:
Tip missing "_csrf" parameter or ' X-csrf-token ' header.
"Cause" after using the spring-security, the default is to prevent cross-domain attacks, any POST submitted to the background of the form to verify that with the _CSRF parameter, once the _CSRF parameter is not correct, the server will return 403 error;
Workaround One: Add _csrf hidden fields in form form
<form method= "POST" action= "/login" >
username: <input type= "text" name= "username"/> <br/>
Password: <input type= "password" name= "password"/> <br/>
<!--add hidden fields--
< Input type= "hidden" th:name= "${_csrf.parametername}" th:value= "${_csrf.token}"/>
<button type= "Submit" >Submit</button>
</form>
The above code is relative to the previous code, adding
<input type= "hidden" th:name= "${_csrf.parametername}" th:value= "${_csrf.token}"/>
_CSRF value to be submitted to the background;
Workaround Two: Form forms use the Th:form property, Thymeleaf automatically generates _CSRF hidden fields in form forms;
<form method= "POST" th:action= "@{/login}" >
username: <input type= "text" name= "username"/>
< br/>
Password: <input type= "password" name= "password"/> <br/>
<button type= "Submit" >Submit</button>
</form>
Workaround three: Turn off the anti-cross-domain attack feature, using HTTP.CSRF (). Disable ():
package com.shawearn.blog.security; import
org.springframework.beans.factory.annotation.Autowired;
Import org.springframework.context.annotation.Configuration;
Import Org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
Import org.springframework.security.config.annotation.web.builders.HttpSecurity;
Import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
Import Org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
/** * Created by Shawearn on 4/24/2017. */@Configuration @EnableWebSecurity public class Websecurityconfiguration extends Websecurityconfigureradapter {@Ove
Rride protected void Configure (Httpsecurity http) throws Exception {http.csrf (). disable ();
Omit other code;} @Autowired public void Configureglobal (Authenticationmanagerbuilder auth) throws Exception {
Code omitted ...} }
"Summary" Personal comparison recommendation method two; method one needs to manually add _csrf hidden fields in form form, it is troublesome, personal not how to recommend; Method Three is a bit simple and rude, if the site does not need to prevent cross-domain attacks, you can directly use method three;