blocks|key|2872622|text|我已经解决了这个问题，在我的登录页面中添加了最后一个属性，也许它会帮你一个忙。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2872623|<%25@+page+language="java"+import="java.util.*"+pageEncoding="UTF-8"++isELIgnored="false"%25>|code-block|syntax|javascript|2872624|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

I have solved it by adding the last attribute in my login page,maybe it will do yo a favor.

<pre><code>&lt;%@ page language="java" import="java.util.*" pageEncoding="UTF-8" isELIgnored="false"%&gt;
</code></pre>

blocks|key|2872732|text|根据spring.io的说法：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2872733|2872734|什么时候应该使用CSRF保护？我们的建议是对普通用户可以通过浏览器处理的任何请求使用CSRF保护。如果您只创建由非浏览器客户端使用的服务，则可能需要禁用CSRF保护。|blockquote|2872735|2872736|2872737|因此，要禁用它：|2872738|@Configuration
public+class+RestSecurityConfig+extends+WebSecurityConfigurerAdapter+{
++@Override
++protected+void+configure(HttpSecurity+http)+throws+Exception+{
++++http.csrf().disable();
++}
}|code-block|syntax|javascript|2872739|注意:缺省情况下，Java保护在配置中处于启用状态|offset|length|style|BOLD|2872740|entityMap^0|0|0|0|0|0|0|0|0|G|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|X|8|@]|9|@]|A|$]]|$1|C|3|D|5|E|7|Y|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|Z|8|@]|9|@]|A|$]]|$1|G|3|-4|5|6|7|10|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|11|8|@]|9|@]|A|$]]|$1|J|3|K|5|L|7|12|8|@]|9|@]|A|$M|N]]|$1|O|3|P|5|6|7|13|8|@$Q|14|R|15|S|T]]|9|@]|A|$]]|$1|U|3|-4|5|6|7|16|8|@]|9|@]|A|$]]]|V|$]]

According to spring.io:

<blockquote>
 When should you use CSRF protection? Our recommendation is to use CSRF
 protection for any request that could be processed by a browser by
 normal users. If you are only creating a service that is used by
 non-browser clients, you will likely want to disable CSRF protection.
</blockquote>

So to disable it:

<pre><code>@Configuration
public class RestSecurityConfig extends WebSecurityConfigurerAdapter {
 @Override
 protected void configure(HttpSecurity http) throws Exception {
 http.csrf().disable();
 }
}
</code></pre>

Note: CSRF protection is enabled by default with Java Configuration

blocks|key|2872818|text|禁用CSRF保护不是一个好主意。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2872819|Spring将在每次请求后自动生成一个新的CSRF令牌，您需要将其包含在所有具有副作用(PUT,+POST,+PATCH,+DELETE).的HTTP请求中|offset|length|style|CODE|2872820|在Postman中，您可以在每个请求中使用一个测试来将CSRF令牌存储在全局中，例如在使用CookieCsrfTokenRepository时。|2872821|pm.globals.set("xsrf-token",+postman.getResponseCookie("XSRF-TOKEN").value);|code-block|syntax|javascript|2872822|然后使用键X-XSRF-TOKEN和值{{xsrf-token}}将其作为标头包含在内。|2872823|entityMap^0|0|17|R|0|19|P|0|0|5|C|J|E|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|T|8|@$D|U|E|V|F|G]]|9|@]|A|$]]|$1|H|3|I|5|6|7|W|8|@$D|X|E|Y|F|G]]|9|@]|A|$]]|$1|J|3|K|5|L|7|Z|8|@]|9|@]|A|$M|N]]|$1|O|3|P|5|6|7|10|8|@$D|11|E|12|F|G]|$D|13|E|14|F|G]]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|15|8|@]|9|@]|A|$]]]|R|$]]

Disabling CSRF protection is a bad idea.

Spring will automatically generate a new CSRF token after each request, and you need to include it in all HTTP requests with side-effects <code>(PUT, POST, PATCH, DELETE).</code>

In Postman you can use a test in each request to store the CSRF token in a global, e.g. when using <code>CookieCsrfTokenRepository</code>

<pre><code>pm.globals.set("xsrf-token", postman.getResponseCookie("XSRF-TOKEN").value);
</code></pre>

And then include it as a header with key <code>X-XSRF-TOKEN</code> and value <code>{{xsrf-token}}</code>.

blocks|key|115709|text|试试这个：@Override+protected+boolean+sameOriginDisabled()+{+return+true;}|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|115710|@Configuration
public+class+WebSocketSecurityConfig+extends+AbstractSecurityWebSocketMessageBrokerConfigurer+{

++++...

++++//+Determines+if+a+CSRF+token+is+required+for+connecting.+This+protects+against+remote
++++//+sites+from+connecting+to+the+application+and+being+able+to+read/write+data+over+the
++++//+connection.+The+default+is+false+(the+token+is+required).
++++@Override
++++protected+boolean+sameOriginDisabled()+{
++++++++return+true;
++++}
}|code-block|syntax|javascript|115711|来源：WebSocket+Security:+Disable+CSRF+within+WebSockets|115712|entityMap|0|LINK|mutability|MUTABLE|url|https://docs.spring.io/autorepo/docs/spring-security/current/reference/html/web-app-security.html#websocket-sameorigin-disable^0|5|1S|0|0|3|1E|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@$9|V|A|W|B|C]]|D|@]|E|$]]|$1|F|3|G|5|H|7|X|8|@]|D|@]|E|$I|J]]|$1|K|3|L|5|6|7|Y|8|@]|D|@$9|Z|A|10|1|11]]|E|$]]|$1|M|3|-4|5|6|7|12|8|@]|D|@]|E|$]]]|N|$O|$5|P|Q|R|E|$S|T]]]]

try this: <code>@Override protected boolean sameOriginDisabled() { return true;}</code>

<pre><code>@Configuration
public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {

 ...

 // Determines if a CSRF token is required for connecting. This protects against remote
 // sites from connecting to the application and being able to read/write data over the
 // connection. The default is false (the token is required).
 @Override
 protected boolean sameOriginDisabled() {
 return true;
 }
}
</code></pre>

source: <a href="https://docs.spring.io/autorepo/docs/spring-security/current/reference/html/web-app-security.html#websocket-sameorigin-disable" rel="nofollow noreferrer">WebSocket Security: Disable CSRF within WebSockets</a>

blocks|key|2872980|text|对于POST方法，遇到了相同的错误，正在获取403禁止“无法验证提供的CSRF令牌，因为您的会话没有找到。”|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2872981|在探索了一段时间后，通过在配置中添加@EnableResourceServer注释找到了解决方案。|2872982|配置看起来像这样(+spring.version+-boot.version+->+1.4.1.RELEASE，spring-security.version+->+4.1.3.RELEASE，spring+->+4.3.4.RELEASE)|2872983|@Configuration
@EnableWebSecurity
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled+=+true)
public+class+SecurityConfig+extends+ResourceServerConfigurerAdapter+{

@Autowired
public+void+configureGlobal(AuthenticationManagerBuilder+auth)+throws+Exception+{
++auth.userDetailsService(inMemoryUserDetailsManager()).passwordEncoder(passwordEncoder());
}

@Override
public+void+configure(HttpSecurity+http)+throws+Exception+{
++++http.httpBasic();
++++http.sessionManagement().sessionCreationPolicy(STATELESS);
++++http.csrf().disable();
++++http.authorizeRequests().anyRequest()
++++++++++++.permitAll();
}

private+InMemoryUserDetailsManager+inMemoryUserDetailsManager()+throws+IOException+{
++++//+load+custom+properties
++++Properties+properties+=+new+Properties();
++++return+new+InMemoryUserDetailsManager(properties);
}

private+PasswordEncoder+passwordEncoder()+{
++++return+new+TextEncryptorBasedPasswordEncoder(textEncryptor());
}

private+TextEncryptor+textEncryptor()+{
++++return+new+OpenSslCompatibleTextEncryptor();
}

}|code-block|syntax|javascript|2872984|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|O|8|@]|9|@]|A|$]]|$1|F|3|G|5|H|7|P|8|@]|9|@]|A|$I|J]]|$1|K|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|L|$]]

Came to same error just with POST methods, was getting 403 Forbidden "Could not verify the provided CSRF token because your session was not found."

After exploring some time found solution by adding @EnableResourceServer annotation to config.

Config looks like that (spring-boot.version -> 1.4.1.RELEASE, spring-security.version -> 4.1.3.RELEASE, spring.version -> 4.3.4.RELEASE)

<pre><code>@Configuration
@EnableWebSecurity
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends ResourceServerConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
 auth.userDetailsService(inMemoryUserDetailsManager()).passwordEncoder(passwordEncoder());
}

@Override
public void configure(HttpSecurity http) throws Exception {
 http.httpBasic();
 http.sessionManagement().sessionCreationPolicy(STATELESS);
 http.csrf().disable();
 http.authorizeRequests().anyRequest()
 .permitAll();
}

private InMemoryUserDetailsManager inMemoryUserDetailsManager() throws IOException {
 // load custom properties
 Properties properties = new Properties();
 return new InMemoryUserDetailsManager(properties);
}

private PasswordEncoder passwordEncoder() {
 return new TextEncryptorBasedPasswordEncoder(textEncryptor());
}

private TextEncryptor textEncryptor() {
 return new OpenSslCompatibleTextEncryptor();
}

}
</code></pre>

blocks|key|115770|text|当我在没有使用credentials:+"same-origin"选项的情况下执行JS+fetch+AJAX调用时，我得到了这个错误消息(HTTP+Status+403+-+Could+not+verify+the+provided+CSRF+token+because+your+session+was+not+found.)。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|BOLD|entityRanges|data|115771|错误的方式|115772|fetch(url)
.then(function+(response)+{+return+response.json();+})
.then(function+(data)+{+console.log(data);+})|code-block|syntax|javascript|115773|正确的方式|115774|fetch(url,+{
++++credentials:+"same-origin"
})
.then(function+(response)+{+return+response.json();+})
.then(function+(data)+{+console.log(data);+})|115775|entityMap^0|7|Q|1X|2M|18|5|0|0|5|0|0|0|5|0|0^^$0|@$1|2|3|4|5|6|7|T|8|@$9|U|A|V|B|C]|$9|W|A|X|B|C]|$9|Y|A|Z|B|D]]|E|@]|F|$]]|$1|G|3|H|5|6|7|10|8|@$9|11|A|12|B|D]]|E|@]|F|$]]|$1|I|3|J|5|K|7|13|8|@]|E|@]|F|$L|M]]|$1|N|3|O|5|6|7|14|8|@$9|15|A|16|B|D]]|E|@]|F|$]]|$1|P|3|Q|5|K|7|17|8|@]|E|@]|F|$L|M]]|$1|R|3|-4|5|6|7|18|8|@]|E|@]|F|$]]]|S|$]]

I get this error message (<code>HTTP Status 403 - Could not verify the provided CSRF token because your session was not found.</code>) when I do a JS fetch AJAX call without using the <code>credentials: "same-origin"</code> option.

Wrong way

<pre><code>fetch(url)
.then(function (response) { return response.json(); })
.then(function (data) { console.log(data); })
</code></pre>

Correct way

<pre><code>fetch(url, {
 credentials: "same-origin"
})
.then(function (response) { return response.json(); })
.then(function (data) { console.log(data); })
</code></pre>

blocks|key|2873011|text|这是一个古老的问题，但这可能会对某些人有所帮助。我遇到了类似的问题，这就是我如何解决它的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2873012|为了让CSRF与REST+API协同工作，您需要在每次调用之前通过API获取一个CSRF令牌并使用该令牌。Token每次都不同，不能重复使用。|2873013|下面是获取CSRF令牌的控制器：|2873014|@RequestMapping(value+=+"/csrf",+method+=+RequestMethod.GET)
++++public+ResponseEntity<CSRFDTO>+getCsrfToken(HttpServletRequest+request)+{
++++++++CsrfToken+csrf+=+(CsrfToken)+request.getAttribute(CsrfToken.class.getName());
++++++++return+ResponseEntity.ok(CSRFDTO.builder()
++++++++++++++++.headerName(csrf.getHeaderName())
++++++++++++++++.token(csrf.getToken())
++++++++++++++++.build());
++++}|code-block|syntax|javascript|2873015|此外，您可以考虑将Spring应用程序配置为禁用REST+API端点的CSRF。引用我在某处读到的一篇文章：|2873016|2873017|我非常确定，REST端点上的CSRF令牌不会提供额外的保护。因此，在REST端点上启用CSRF保护只会向您的应用程序引入一些无用的代码，我认为应该跳过这些代码。|blockquote|2873018|2873019|2873020|希望这能有所帮助。|2873021|entityMap^0|0|0|0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|X|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|Y|8|@]|9|@]|A|$]]|$1|F|3|G|5|H|7|Z|8|@]|9|@]|A|$I|J]]|$1|K|3|L|5|6|7|10|8|@]|9|@]|A|$]]|$1|M|3|-4|5|6|7|11|8|@]|9|@]|A|$]]|$1|N|3|O|5|P|7|12|8|@]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|13|8|@]|9|@]|A|$]]|$1|R|3|-4|5|6|7|14|8|@]|9|@]|A|$]]|$1|S|3|T|5|6|7|15|8|@]|9|@]|A|$]]|$1|U|3|-4|5|6|7|16|8|@]|9|@]|A|$]]]|V|$]]

This is an old question but this might help someone. I had the similar issue and this is how I was able to resolve it.

In order for the CSRF to work with the REST API you need to obtain a CSRF token via API before every single call and use that token. Token is different every time and cannot be re-used.

Here is the controller to get the CSRF token:

<pre><code>@RequestMapping(value = "/csrf", method = RequestMethod.GET)
 public ResponseEntity&lt;CSRFDTO&gt; getCsrfToken(HttpServletRequest request) {
 CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
 return ResponseEntity.ok(CSRFDTO.builder()
 .headerName(csrf.getHeaderName())
 .token(csrf.getToken())
 .build());
 }
</code></pre>

Additionally, you might consider configuring your Spring app to disable the CSRF for the REST API endpoints. To quote an article I've read somewhere:

<blockquote>
 I'm very certain that CSRF tokens on a REST endpoint grant zero additional protection. As such, enabling CSRF protection on a REST endpoint just introduces some useless code to your application, and I think it should be skipped.
</blockquote>

Hope this helps.

I am using spring security along with java config

<pre><code>@Override
protected void configure(HttpSecurity http) throws Exception { 
 http
 .authorizeRequests()
 .antMatchers("/api/*").hasRole("ADMIN")
 .and()
 .addFilterAfter(new CsrfTokenResponseHeaderBindingFilter(), CsrfFilter.class)
 .exceptionHandling()
 .authenticationEntryPoint(restAuthenticationEntryPoint)
 .and()
 .formLogin()
 .successHandler(authenticationSuccessHandler)
 .failureHandler(new SimpleUrlAuthenticationFailureHandler());
</code></pre>

I am using PostMan for testing my REST services. I get 'csrf token' successfully and I am able to login by using <code>X-CSRF-TOKEN</code> in request header. But after login when i hit post request(I am including same token in request header that i used for login post request) I get the following error message:

HTTP Status 403 - Could not verify the provided CSRF token because your session was not found.

Can any one guide me what I am doing wrong.

Could not verify the provided CSRF token because your session was not found in spring security

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

我使用的是spring security和java config。@Overrideprotected void configure(HttpSecurity http) throws Exception {     http    .authorizeRequests()    .antMatchers("/api/...

问无法验证提供的CSRF令牌，因为在spring安全中找不到您的会话
EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问无法验证提供的CSRF令牌，因为在spring安全中找不到您的会话EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问无法验证提供的CSRF令牌，因为在spring安全中找不到您的会话
EN