/** * https://docs.spring.io/spring-security/site/docs/4.2.3.RELEASE/reference/htmlsingle/#csrf-timeouts * https://stackoverflow.com/questions/32446903/what-is-the-best-way-to-handle-invalid-csrf-token-found-in-the-request-when-sess */ @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { LOGGER.warn("{},{},{}", Flag.BizLogFlag.WARN_CHECK, RequestHolder.getLastAccessUri(), accessDeniedException.getClass().getCanonicalName()); if (accessDeniedException instanceof MissingCsrfTokenException || accessDeniedException instanceof InvalidCsrfTokenException) { response.sendRedirect("/"); } }
@Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException authException) throws IOException, ServletException { if (authException instanceof InvalidCsrfTokenException || authException instanceof MissingCsrfTokenException) { response.setHeader(CsrfHeaders.CSRF_TOKEN_HEADER, CSRF_TOKEN_REQUIRED_HEADER_VALUE); } doHandle(request, response, authException); }
@Override public void handle(final HttpServletRequest request, final HttpServletResponse response, final AccessDeniedException ex) throws IOException { response.setStatus(HttpServletResponse.SC_FORBIDDEN); final boolean sessionExists = request.getSession(false) != null; if (ex instanceof MissingCsrfTokenException) { LOG.warn("Missing CSRF token for requestURI={} for user {} with session={} and message: {}", request.getRequestURI(), getActiveUserInfo(), sessionExists, ex.getMessage()); } else if (ex instanceof CsrfException) { LOG.warn("Invalid CSRF token for requestURI={} for user {} with session={} and message: {}", request.getRequestURI(), getActiveUserInfo(), sessionExists, ex.getMessage()); } else { LOG.warn("Access denied for requestURI={} for user {} with exception {} message: {}", request.getRequestURI(), getActiveUserInfo(), ex.getClass().getName(), ex.getMessage()); } if (!response.isCommitted()) { response.setContentType("application/json"); response.getWriter().print("{\"status\": \"FORBIDDEN\"}"); response.getWriter().flush(); response.getWriter().close(); } }
@Override public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException { if (e instanceof MissingCsrfTokenException) { httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); } else { super.handle(httpServletRequest, httpServletResponse, e); } }
@Override public void handle( HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException ) throws IOException, ServletException { if (accessDeniedException instanceof InvalidCsrfTokenException || accessDeniedException instanceof MissingCsrfTokenException) { new DefaultRedirectStrategy().sendRedirect(request, response, "/editar/autenticar?sessao"); } super.handle(request, response, accessDeniedException); }
@Test public void redirecionaParaAutenticacaoQuandoTokenCsrfEstáAusente() throws Exception { AccessDeniedException exception = new MissingCsrfTokenException( "actualToken" ); handler.handle(request, response, exception); assertThat(response.getRedirectedUrl(), is("/editar/autenticar?sessao")); }
@Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { if (response.isCommitted()) { return; } // handle invalid csrf token exception gracefully when user tries to log in/out with expired exception if (isLoginLogoutRequest(request) && (accessDeniedException instanceof MissingCsrfTokenException)) { response.sendRedirect(request.getContextPath()); return; } defaultHandler.handle(request, response, accessDeniedException); }
