spring security 跨域防伪攻击
applicationContext-security.xml中配置
1 <http use-expressions="true" disable-url-rewriting="false" entry-point-ref="loginUrlAuthenticationEntryPoint"> 2 <!-- <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> --> 3 <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 4 <intercept-url pattern="/logincheck" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 5 <intercept-url pattern="/error/accessdenied*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 6 <!-- <intercept-url pattern="/messagecode/getimagecode*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> --> 7 <!-- 跨站请求伪造 --> 8 <csrf /> 9 <access-denied-handler ref="accessDeniedHandler"/> 10 11 <intercept-url pattern="/**" access="isAuthenticated()" /> 12 13 <session-management session-authentication-strategy-ref="sas" /> 14 <!-- 登出 --> 15 <logout invalidate-session="true" logout-success-url="/login" logout-url="/logout" /> 16 <!-- 登录 --> 17 <custom-filter ref="loginAuthenticationFilter" position="FORM_LOGIN_FILTER" /> 18 19 <custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER" /> 20 21 <custom-filter ref="mySecurityFilter" before="FILTER_SECURITY_INTERCEPTOR" /> 22 <!-- 切换微信公众号 --> 23 <custom-filter ref="switchWxUserFilter" position="SWITCH_USER_FILTER" /> 24 25 </http>
详细可查spring官网csrf。。。
spring的form:form表单点击提交是,spring会为表单元素自动加上防伪标签,上传文件是相当于提交两次form表单,因此还需手动再加一次。