Invalid CSRF token found for /zkau with Spring Security

asked 2015-09-14 10:38:23 +0800

CodeLover
1

updated 2015-09-14 10:42:58 +0800

I'm trying to integrate Spring Security with ZK.

I stuck with error message: Invalid CSRF token found for xxx/cbpm/zkau.

My full stacktrace

2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 1 of 14 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (AntPathRequestMatcher.java:151) - Checking match of request : '/zkau'; against '/zkau/**'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (ChannelProcessingFilter.java:142) - Request: FilterInvocation: URL: /zkau; ConfigAttributes: [ANY_CHANNEL]
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (HttpSessionSecurityContextRepository.java:192) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@c363b976: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c363b976: Principal: ptpn4.rawi.sso.client.authentication.SSOUser@4db176a9; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: SSORole{name=ROLE_ADMIN, privileges=null}'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 3 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 4 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (HstsHeaderWriter.java:128) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@244bd1a9
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2015-09-14 17:12:58,290 +0700 [http-nio-8787-exec-91] DEBUG (CsrfFilter.java:106) - Invalid CSRF token found for xxx/cbpm/zkau
2015-09-14 17:12:58,291 +0700 [http-nio-8787-exec-91] DEBUG (SecurityContextPersistenceFilter.java:105) - SecurityContextHolder now cleared, as request processing completed

I don't use Spring Security default authentication provider. I made custom provider and call it not with login form, but with an url like xxx/cbpm/sso/checkpoint.zul?token=xxxxxxx

and then I processed that token with this code:

public class SSOTokenHandler implements Initiator {

    private static final Logger logger = Logger.getLogger(SSOTokenHandler.class.getName());

    @Autowired
    @Qualifier("authenticationManager")
    AuthenticationManager authenticationManager;

    @Override
    public void doInit(Page page, Map<String, Object> map) throws Exception {
        authenticationManager = (AuthenticationManager) SpringUtil.getBean("authenticationManager");
        //org.zkoss.zkplus.spring.SpringUtil
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, Executions.getCurrent().getParameter("token"));
        try {
            if (authenticationManager != null) {
                Authentication auth = authenticationManager.authenticate(token);
                SecurityContextHolder.getContext().setAuthentication(auth);
                Executions.sendRedirect(SSOConstant.getMAIN_URL());
            }
        } catch (AuthenticationException e) {
            Executions.sendRedirect(SSOConstant.getPORTAL_SSO_URL());
        }
    }
}

Above code run well, and show index page.

But, every I do click something (fired ajax request), then 403 error arise with my attached log.

Please help me. :)

My spring-security.xml

<http auto-config="true">
        <form-login login-page="xxx/PortalSSO/auth/login.do?redirect=/sso/checkpoint/SDM02.do"/>
<!--        <intercept-url pattern="/api/auth/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />
        <intercept-url pattern="/resources/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />
        <intercept-url pattern="/auth/login.do" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />-->
        <intercept-url pattern="/zkau/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
        <intercept-url pattern="/css/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
        <intercept-url pattern="/img/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
        <intercept-url pattern="/sso/checkpoint.zul" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" />
        <intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
        <session-management session-fixation-protection="none" /> 
        <!--<logout logout-success-url="/login.zul"/>-->
    </http>

    <authentication-manager alias="authenticationManager">  
        <authentication-provider ref="SSOAuthenticationProvider" />
    </authentication-manager>

    <beans:bean id="SSOAuthenticationProvider" class="ptpn4.rawi.sso.client.authentication.SSOAuthenticationProvider"/>

My library stack: - ZK EE 7.0.6.1 - ZK Spring Core 3.1.1 - ZK Spring Security 3.1.1 - Spring Framework 4.2.1 (core, web, beans, context, aop, expression) - Spring Security 4.0.2 (core, web, config)