I want to use http post to post data from jsp page to my controller .the problem is that when I enable csrf the request wasn't sent but I want to enable csrf can any one help me ?
home.jsp
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.0/jquery.min.js"></script>
<title>Insert title here</title>
</head>
<body>
hello there !!!<br>
<button type="button" onclick="location.href='${pageContext.request.contextPath}/create';"> start workflow</button> <br>
<button type="button" onclick="location.href='${pageContext.request.contextPath}/workflows';"> View Workflows</button> <br>
<button type="button" onclick="sendDataWithJson();"> View data</button> <br>
<a href="${pageContext.request.contextPath}/login">login</a>
<p>Parameter from home ${pageContext.request.userPrincipal.name}</p>
</body>
<script type="text/javascript">
function success(data){
alert("success");
}
function error(data){
alert("error");
}
function sendDataWithJson(){
$.ajax({
type: 'POST',
url: '<c:url value="/sendmessage" />',
data: JSON.stringify({"text":"bla bla bla","name":"MED"}),
success:success,
error:error,
contentType: "application/json",
dataType: "json"
});
}
</script>
</html>
springsecurity.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd">
<security:authentication-manager>
<security:ldap-authentication-provider
user-search-filter="(uid={0})" user-search-base="ou=users"
group-search-filter="(uniqueMember={0})" group-search-base="ou=groups"
group-role-attribute="cn" role-prefix="ROLE_" />
</security:authentication-manager>
<security:ldap-server url="ldap://localhost:8389/o=mojo"
manager-dn="uid=admin,ou=system" manager-password="secret" />
<security:http use-expressions="true">
<security:intercept-url pattern="/" access="permitAll"/>
<security:intercept-url pattern="/next" access="permitAll" />
<security:intercept-url pattern="/workflows" access="isAuthenticated()"/>
<security:intercept-url pattern="/getmessages" access="isAuthenticated()"/>
<security:intercept-url pattern="/sendmessage" access="permitAll"/>
<security:form-login login-page="/login"
login-processing-url="/login"
authentication-failure-url="/login.html?error=true"
username-parameter="username"
password-parameter="password"
/>
<security:csrf/>
</security:http>
</beans>
controller
@RequestMapping( value = "/sendmessage" , method=RequestMethod.POST , produces="application/json")
@ResponseBody
public Map<String, Object> getData(@RequestBody Map<String, Object> data){
String text=(String) data.get("text");
String name=(String) data.get("name");
System.out.println(text+","+name);
Map<String, Object>rval = new HashMap<String, Object>();
rval.put("success",true);
return rval;
}
You can add the csrf value to html when you are using jsp:
<meta name="_csrf_param" content="${_csrf.parameterName}"/>
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>
this will render the crsf value from session.
and now you are using ajax, you should add the csrf token in header, you can extend the jquery:
$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});