使用Thymeleaf的话,SpringSecurity防护就简单多了。
引入Thymeleaf依赖:
开启crsf防护:
前端html:
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org" lang="en">
<head>
<meta charset="UTF-8">
<!-- CSRF -->
<meta name="_csrf" th:content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" th:content="${_csrf.headerName}"/>
<title>测试</title>
</head>
<body>
<h1>测试CSRF</h1>
<form>
<input type="button" id = "buttonCrsf" name="按钮" onclick="aaa()"/>
</form>
</body>
<script>
function aaa() {
// 获取 CSRF Token
var csrfToken = $("meta[name='_csrf']").attr("content");
var csrfHeader = $("meta[name='_csrf_header']").attr("content");
console.log(csrfToken);
console.log(csrfHeader);
$.ajax({
url: "/test/c2" ,
type: 'POST',
beforeSend: function(request) {
if(csrfToken && csrfHeader ) {
request.setRequestHeader(csrfHeader, csrfToken); // 添加 CSRF Token
} },
success: function(data){
alert(data.code+",,"+data.message+",,"+data.data);
},
error : function() {
alert(data.code+",,"+data.message+",,"+data.data);
}
});
};
</script>
<script type="text/javascript" src="./assets/js/jquery-1.8.0.min.js"></script>
</html>
只要该页面经过视图渲染,则可以获取csrfTokenhe csrfHeader。
其实最关键的类是CsrfFilter: