Получение ошибки «Неверный токен CSRF», даже если CSRF отключен

Получение ошибки «Неверный токен CSRF», даже если CSRF отключен ⇐ JAVA

1 сообщение • Страница 1 из 1

Гость

Получение ошибки «Неверный токен CSRF», даже если CSRF отключен

Цитата

Сообщение Гость » 13 мар 2024, 18:48

Недавно я обновил свое приложение Spring Boot до Spring Boot 3.2 и Spring Security 6.2. Я также представил токены формата JWT для авторизации.
Я хочу отключить требование токена CSRF, поскольку я уже использую токен JWT. Но даже после его отключения в классе конфигурации безопасности, когда я делаю запрос на создание токена JWT, отправляя POST-запрос к конечной точке /oauth2/token, я получаю в ответ 401 несанкционированную ошибку.
Ниже это мой фрагмент конфигурации безопасности:

Код: Выделить всё

@Bean
AuthenticationManager authManager(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
authenticationManagerBuilder.authenticationProvider(authenticationProvider());
authenticationManagerBuilder.eraseCredentials(false);
return authenticationManagerBuilder.build();
}

// @formatter:off
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();

authorizationServerConfigurer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenResponseHandler(authenticationSuccessHandler())
.accessTokenRequestConverter(new CasServiceGrantAuthenticationConverter())
.authenticationProvider(authenticationProvider()));

http.csrf(AbstractHttpConfigurer::disable)
.anonymous(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.httpBasic(AbstractHttpConfigurer::disable)
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests((authorize) -> {
authorize.requestMatchers("/oauth2/token", "/error").permitAll()
.anyRequest().permitAll();
})
.authenticationProvider(authenticationProvider())
.oauth2ResourceServer((resourceServer) ->  resourceServer.jwt(Customizer.withDefaults()))
.apply(authorizationServerConfigurer);

return http.build();
}
// @formatter:on

@Bean
RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
return new JdbcRegisteredClientRepository(jdbcTemplate);
}

@Bean
OAuth2AuthorizationService oAuth2AuthorizationService() {
return new InMemoryOAuth2AuthorizationService();
}

@Bean
AuthorizationServerSettings authorizationServerSettings() {
return AuthorizationServerSettings.builder().build();
}

Ниже приведен вывод журнала консоли, когда я вызываю API к конечной точке /oauth2/token:

Код: Выделить всё

[2m2024-03-13T15:35:02.621Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /oauth2/token
[2m2024-03-13T15:35:02.621Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DisableEncodeUrlFilter (1/16)
[2m2024-03-13T15:35:02.638Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking WebAsyncManagerIntegrationFilter (2/16)
[2m2024-03-13T15:35:02.638Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking SecurityContextHolderFilter (3/16)
[2m2024-03-13T15:35:02.646Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking HeaderWriterFilter (4/16)
[2m2024-03-13T15:35:02.646Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CorsFilter (5/16)
[2m2024-03-13T15:35:02.646Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CsrfFilter (6/16)
[2m2024-03-13T15:35:02.669Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.csrf.CsrfFilter        [0;39m [2m:[0;39m Invalid CSRF token found for http://localhost:9091/oauth2/token
[2m2024-03-13T15:35:02.669Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.access.AccessDeniedHandlerImpl  [0;39m [2m:[0;39m Responding with 403 status code
[2m2024-03-13T15:35:02.677Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.header.writers.HstsHeaderWriter [0;39m [2m:[0;39m Not injecting HSTS header since it did not match request to [Is Secure]
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@5d33742, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7cf3544, org.springframework.security.web.context.SecurityContextHolderFilter@792841ab, org.springframework.security.web.header.HeaderWriterFilter@70841eba, org.springframework.web.filter.CorsFilter@4087fff9, org.springframework.security.web.csrf.CsrfFilter@328dce25, org.springframework.security.web.authentication.logout.LogoutFilter@11fb5c55, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@37539d92, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@42cb71f9, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@266737c4, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6aa4b9ae, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@32975a20, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@266713d4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@3a126d6d, org.springframework.security.web.access.ExceptionTranslationFilter@5c33a1b3,  org.springframework.security.web.access.intercept.AuthorizationFilter@16b59ac4]] (1/1)
[2m2024-03-13T15:35:02.694Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /error
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DisableEncodeUrlFilter (1/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking WebAsyncManagerIntegrationFilter (2/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking SecurityContextHolderFilter (3/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking HeaderWriterFilter (4/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CorsFilter (5/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CsrfFilter (6/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking LogoutFilter (7/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.logout.LogoutFilter           [0;39m [2m:[0;39m Did not match request to Ant [pattern='/logout', POST]
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking UsernamePasswordAuthenticationFilter (8/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mw.a.UsernamePasswordAuthenticationFilter[0;39m [2m:[0;39m Did not match request to Ant [pattern='/login', POST]
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DefaultLoginPageGeneratingFilter (9/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DefaultLogoutPageGeneratingFilter (10/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking BasicAuthenticationFilter (11/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking RequestCacheAwareFilter (12/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m matchingRequestParameterName is required for getMatchingRequest to lookup a value,  but not provided
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking SecurityContextHolderAwareRequestFilter (13/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking AnonymousAuthenticationFilter (14/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking ExceptionTranslationFilter (15/16)
[2m2024-03-13T15:35:02.701Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking AuthorizationFilter (16/16)
[2m2024-03-13T15:35:02.701Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mestMatcherDelegatingAuthorizationManager[0;39m [2m:[0;39m Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@54878cee]]
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mestMatcherDelegatingAuthorizationManager[0;39m [2m:[0;39m Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@54878cee]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@1129e8d0
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mw.c.HttpSessionSecurityContextRepository[0;39m [2m:[0;39m Did not find SecurityContext in HttpSession A55AA532047F0432CEFA487835EDE24C using the SPRING_SECURITY_CONTEXT session attribute
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36m.s.s.w.c.SupplierDeferredSecurityContext[0;39m [2m:[0;39m Created SecurityContextImpl [Null authentication]
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36m.s.s.w.c.SupplierDeferredSecurityContext[0;39m [2m:[0;39m Created SecurityContextImpl [Null authentication]
[2m2024-03-13T15:35:02.713Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A55AA532047F0432CEFA487835EDE24C], Granted Authorities=[ROLE_ANONYMOUS]]
[2m2024-03-13T15:35:02.717Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.ExceptionTranslationFilter    [0;39m [2m:[0;39m Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A55AA532047F0432CEFA487835EDE24C], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.2.jar:6.2.2]
...

From above console log it appears that CsrfFilter is getting invoked due to which it gives 403 status code in response.
Can you help me identify what can be the solution to this issue? I am trying since 3-4 days and tried many ways to debug and identify the issue. Thanks

Источник: https://stackoverflow.com/questions/781 ... s-disabled

1710344924

Гость


Недавно я обновил свое приложение Spring Boot до Spring Boot 3.2 и Spring Security 6.2. Я также представил токены формата JWT для авторизации.
Я хочу отключить требование токена CSRF, поскольку я уже использую токен JWT.  Но даже после его отключения в классе конфигурации безопасности, когда я делаю запрос на создание токена JWT, отправляя POST-запрос к конечной точке /oauth2/token, я получаю в ответ 401 несанкционированную ошибку.
Ниже это мой фрагмент конфигурации безопасности:
[code]@Bean
AuthenticationManager authManager(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
authenticationManagerBuilder.authenticationProvider(authenticationProvider());
authenticationManagerBuilder.eraseCredentials(false);
return authenticationManagerBuilder.build();
}

// @formatter:off
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();

authorizationServerConfigurer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenResponseHandler(authenticationSuccessHandler())
.accessTokenRequestConverter(new CasServiceGrantAuthenticationConverter())
.authenticationProvider(authenticationProvider()));

http.csrf(AbstractHttpConfigurer::disable)
.anonymous(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.httpBasic(AbstractHttpConfigurer::disable)
.cors(cors -> cors.configurationSource(corsConfigurationSource()))
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests((authorize) -> {
authorize.requestMatchers("/oauth2/token", "/error").permitAll()
.anyRequest().permitAll();
})
.authenticationProvider(authenticationProvider())
.oauth2ResourceServer((resourceServer) ->  resourceServer.jwt(Customizer.withDefaults()))
.apply(authorizationServerConfigurer);

return http.build();
}
// @formatter:on

@Bean
RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
return new JdbcRegisteredClientRepository(jdbcTemplate);
}

@Bean
OAuth2AuthorizationService oAuth2AuthorizationService() {
return new InMemoryOAuth2AuthorizationService();
}

@Bean
AuthorizationServerSettings authorizationServerSettings() {
return AuthorizationServerSettings.builder().build();
}
[/code]
Ниже приведен вывод журнала консоли, когда я вызываю API к конечной точке /oauth2/token:
[code][2m2024-03-13T15:35:02.621Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /oauth2/token
[2m2024-03-13T15:35:02.621Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DisableEncodeUrlFilter (1/16)
[2m2024-03-13T15:35:02.638Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking WebAsyncManagerIntegrationFilter (2/16)
[2m2024-03-13T15:35:02.638Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking SecurityContextHolderFilter (3/16)
[2m2024-03-13T15:35:02.646Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking HeaderWriterFilter (4/16)
[2m2024-03-13T15:35:02.646Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CorsFilter (5/16)
[2m2024-03-13T15:35:02.646Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CsrfFilter (6/16)
[2m2024-03-13T15:35:02.669Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.csrf.CsrfFilter        [0;39m [2m:[0;39m Invalid CSRF token found for http://localhost:9091/oauth2/token
[2m2024-03-13T15:35:02.669Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.access.AccessDeniedHandlerImpl  [0;39m [2m:[0;39m Responding with 403 status code
[2m2024-03-13T15:35:02.677Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.header.writers.HstsHeaderWriter [0;39m [2m:[0;39m Not injecting HSTS header since it did not match request to [Is Secure]
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@5d33742, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7cf3544, org.springframework.security.web.context.SecurityContextHolderFilter@792841ab, org.springframework.security.web.header.HeaderWriterFilter@70841eba, org.springframework.web.filter.CorsFilter@4087fff9, org.springframework.security.web.csrf.CsrfFilter@328dce25, org.springframework.security.web.authentication.logout.LogoutFilter@11fb5c55, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@37539d92, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@42cb71f9, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@266737c4, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@6aa4b9ae, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@32975a20, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@266713d4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@3a126d6d, org.springframework.security.web.access.ExceptionTranslationFilter@5c33a1b3,  org.springframework.security.web.access.intercept.AuthorizationFilter@16b59ac4]] (1/1)
[2m2024-03-13T15:35:02.694Z[0;39m [32mDEBUG[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Securing POST /error
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DisableEncodeUrlFilter (1/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking WebAsyncManagerIntegrationFilter (2/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking SecurityContextHolderFilter (3/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking HeaderWriterFilter (4/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CorsFilter (5/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking CsrfFilter (6/16)
[2m2024-03-13T15:35:02.694Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking LogoutFilter (7/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.logout.LogoutFilter           [0;39m [2m:[0;39m Did not match request to Ant [pattern='/logout', POST]
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking UsernamePasswordAuthenticationFilter (8/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mw.a.UsernamePasswordAuthenticationFilter[0;39m [2m:[0;39m Did not match request to Ant [pattern='/login', POST]
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DefaultLoginPageGeneratingFilter (9/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking DefaultLogoutPageGeneratingFilter (10/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking BasicAuthenticationFilter (11/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking RequestCacheAwareFilter (12/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.s.HttpSessionRequestCache       [0;39m [2m:[0;39m matchingRequestParameterName is required for getMatchingRequest to lookup a value,  but not provided
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking SecurityContextHolderAwareRequestFilter (13/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking AnonymousAuthenticationFilter (14/16)
[2m2024-03-13T15:35:02.696Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking ExceptionTranslationFilter (15/16)
[2m2024-03-13T15:35:02.701Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.security.web.FilterChainProxy       [0;39m [2m:[0;39m Invoking AuthorizationFilter (16/16)
[2m2024-03-13T15:35:02.701Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mestMatcherDelegatingAuthorizationManager[0;39m [2m:[0;39m Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@54878cee]]
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mestMatcherDelegatingAuthorizationManager[0;39m [2m:[0;39m Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@54878cee]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@1129e8d0
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mw.c.HttpSessionSecurityContextRepository[0;39m [2m:[0;39m Did not find SecurityContext in HttpSession A55AA532047F0432CEFA487835EDE24C using the SPRING_SECURITY_CONTEXT session attribute
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36m.s.s.w.c.SupplierDeferredSecurityContext[0;39m [2m:[0;39m Created SecurityContextImpl [Null authentication]
[2m2024-03-13T15:35:02.710Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36m.s.s.w.c.SupplierDeferredSecurityContext[0;39m [2m:[0;39m Created SecurityContextImpl [Null authentication]
[2m2024-03-13T15:35:02.713Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.AnonymousAuthenticationFilter [0;39m [2m:[0;39m Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A55AA532047F0432CEFA487835EDE24C], Granted Authorities=[ROLE_ANONYMOUS]]
[2m2024-03-13T15:35:02.717Z[0;39m [32mTRACE[0;39m [35m22908[0;39m [2m---[0;39m [2m[ttoyou-api-gateway-service] [nio-9091-exec-1][0;39m [2m[0;39m[36mo.s.s.w.a.ExceptionTranslationFilter    [0;39m [2m:[0;39m Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A55AA532047F0432CEFA487835EDE24C], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.2.2.jar:6.2.2]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.2.2.jar:6.2.2]
...
[/code]
From above console log it appears that CsrfFilter is getting invoked due to which it gives 403 status code in response.
Can you help me identify what can be the solution to this issue? I am trying since 3-4 days and tried many ways to debug and identify the issue. Thanks
 

Источник: [url]https://stackoverflow.com/questions/78155117/getting-invalid-csrf-token-error-even-when-csrf-is-disabled[/url]

Ответить Пред. тема След. тема

1 сообщение • Страница 1 из 1

Быстрый ответ

Заголовок:

Имя пользователя:

Изменение регистра текста:

Смайлики

Ещё смайлики…

К этому ответу прикреплено по крайней мере одно вложение.

Если вы не хотите добавлять вложения, оставьте поля пустыми. Можно прикреплять файлы, перетаскивая их в окно сообщения.

Максимально разрешённый размер вложения: 15 МБ.

Имя файла:

Комментарий к файлу:

Имя файла	Комментарий к файлу	Размер	Статус

Похожие темы

Ответы

Просмотры

Последнее сообщение

Токен CSRF, вмешиваясь в TDD - есть ли переменная, которая хранит выход CSRF?

Последнее сообщение Anonymous « 15 авг 2025, 21:44
Добавлено в форуме Python

Anonymous » 15 авг 2025, 21:44 » в форуме Python

Итак, я продолжал возвращать неудачный тест в Django при сравнении, ожидаемого фактического HTML с входом формы, поэтому я распечатал результат и понял, что разница была довольно простая строка, вызванная моей { % csrf_token %} , следующим образом:...

0 Ответы

3 Просмотры

Последнее сообщение Anonymous
15 авг 2025, 21:44
Неверный токен CSRF при вызове микросервисов через мой весенний облачный шлюз

Последнее сообщение Anonymous « 08 апр 2025, 18:57
Добавлено в форуме JAVA

Anonymous » 08 апр 2025, 18:57 » в форуме JAVA

Я застрял в том, что в моем приложении для микросопервизирования Spring Boot Microservice с помощью Spring Cloud Gateway.
У меня есть микросервис для базы аутентификации на keycloak, обнаруживая некоторые API, такие как регистр, вход в систему и т....

0 Ответы

4 Просмотры

Последнее сообщение Anonymous
08 апр 2025, 18:57
Как хранить свой токен CSRF на моем фронтальном заголовке NextJS. Я храню свой токен jwt в печенье

Последнее сообщение Anonymous « 23 фев 2025, 20:55
Добавлено в форуме Python

Anonymous » 23 фев 2025, 20:55 » в форуме Python

Я создаю веб -сайт с Flask и NextJS и аутентификации с JWT и храню его в cookie. На моей главной странице я установил свой CSRFTOKENKEN в своем заголовке в моем NextJS (хотя я создал маршрут в колбе, который отправляет CSRFTOKENKENT и NEXTJS его...

0 Ответы

24 Просмотры

Последнее сообщение Anonymous
23 фев 2025, 20:55
Получение «недопустимого токена CSRF», найденного в приложении Spring Boot, хотя CSRF отключена в Spring SecurityConfig

Последнее сообщение Anonymous « 05 май 2025, 16:10
Добавлено в форуме JAVA

Anonymous » 05 май 2025, 16:10 » в форуме JAVA

Я получаю эту ошибку

Неверный токен CSRF, найденной для http: // localhost: 8080/api/v1/login

Когда я выполняю пост из почты на этой конечной точке http: // localhost: 8080/api/v1/login
Это контроллер.
@RestController
class FooController() {...

0 Ответы

12 Просмотры

Последнее сообщение Anonymous
05 май 2025, 16:10
Spring Security CSRF не отключен

Последнее сообщение Anonymous « 06 фев 2025, 13:56
Добавлено в форуме JAVA

Anonymous » 06 фев 2025, 13:56 » в форуме JAVA

У меня есть эта конфигурация безопасности для Spring Boot API, и даже когда я разрешаю некоторые конечные точки, такие как вход в систему или регистрация, сервер продолжает сообщать мне 401 несанкционированное, и журналы, показывающие...

0 Ответы

13 Просмотры

Последнее сообщение Anonymous
06 фев 2025, 13:56

Вернуться в «JAVA»