Five, Spring Security uses a custom authentication page
5.1 Specify the authentication page configuration information in the Spring Security main configuration file
403
what is abnormal? This is
insufficient authority in
Spring Security
! How did this exception come from? Remember the above
Spring Security
built-in authentication page source
Does the
_csrf
in the code
hide the
input
? That's the problem!
5.2 Spring Security 's csrf protection mechanism
CSRF
(
Cross-site request forgery
) cross -site request
forgery is a network attack method that is difficult to prevent.
5.2.1 SpringSecurity the CsrfFilter Filter Description
Through source code analysis, we understand that the request method of our authentication page is
POST
, but it does not carry the
token
, so there is a
403
permission failure
Foot abnormality. So how to deal with this problem?
Method 1: Disable
csrf
directly
, it is not recommended.
Method 2: Carry the
token
request on the authentication page
5.2.2 Disable csrf protection mechanism
Add configuration to disable crsf protection in the main
SpringSecurity
configuration file
.
5.2.3 Carry token request on the authentication page
Note: The HttpSessionCsrfTokenRepository object is responsible for generating the token and putting it into the session field.