Since i am new to this broadleaf framework,I am facing problem on configuring security in my project.
I am getting the below error.
I added the web security configuration code aswell.
How to solve it.
[org.broadleafcommerce.common.exception.ServiceException: XSRF token mismatch (ENSU-N832-MK2I-BPOL-8KBH-J6AM-2HUK-10A6). Session may be expired.] with root causeorg.broadleafcommerce.common.exception.ServiceException: XSRF token mismatch (ENSU-N832-MK2I-BPOL-8KBH-J6AM-2HUK-10A6). Session may be expired. at org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl.compareToken(ExploitProtectionServiceImpl.java:128) at org.broadleafcommerce.common.security.handler.SecurityFilter.doFilter(SecurityFilter.java:88) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at
The below code is the websecurity configuration code
@EnableWebSecurity
@EnableJdbcHttpSession(maxInactiveIntervalInSeconds=2592000) // 30 days
@ComponentScan({"org.broadleafcommerce.common.web.security","org.broadleafcommerce.profile.web.core.security","org.broadleafcommerce.core.web.order.security"})
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SiteSecurityConfig extends WebSecurityConfigurerAdapter {
@Configuration
public static class DependencyConfiguration {
@Bean
protected AuthenticationFailureHandler blAuthenticationFailureHandler(@Qualifier("blAuthenticationFailureRedirectStrategy") RedirectStrategy redirectStrategy) {
BroadleafAuthenticationFailureHandler response = new BroadleafAuthenticationFailureHandler("/service-type/get-all-services");
response.setRedirectStrategy(redirectStrategy);
return response;
}
@Bean
protected AuthenticationSuccessHandler blAuthenticationSuccessHandler(@Qualifier("blAuthenticationSuccessRedirectStrategy") RedirectStrategy redirectStrategy) {
EcomSiteAuthenticationSuccessHandler handler = new EcomSiteAuthenticationSuccessHandler();
handler.setRedirectStrategy(redirectStrategy);
handler.setDefaultTargetUrl("/service-type/get-all-services");
handler.setTargetUrlParameter("successUrl");
handler.setUseReferer(true);
handler.setAlwaysUseDefaultTargetUrl(false);
return handler;
}
@Bean
protected Filter blCsrfFilter() {
SecurityFilter securityFilter = new SecurityFilter();
List<String> excludedRequestPatterns = new ArrayList<>();
excludedRequestPatterns.add("/sample-checkout/**");
excludedRequestPatterns.add("/hosted/sample-checkout/**");
securityFilter.setExcludedRequestPatterns(excludedRequestPatterns);
return securityFilter;
}
@Bean
protected Filter checkoutSecurityFilter() {
CheckoutSecurityfilter checkoutSecurityFilter = new CheckoutSecurityfilter();
return checkoutSecurityFilter;
}
}
@Value("${asset.server.url.prefix.internal}")
protected String assetServerUrlPrefixInternal;
@Resource(name="blAuthenticationSuccessHandler")
protected AuthenticationSuccessHandler successHandler;
@Resource(name="blAuthenticationFailureHandler")
protected AuthenticationFailureHandler failureHandler;
@Resource(name="blCsrfFilter")
protected Filter securityFilter;
@Resource(name="checkoutSecurityFilter")
protected Filter checkoutSecurityFilter;
@Resource(name="blSessionFixationProtectionFilter")
protected Filter sessionFixationProtectionFilter;
@Resource(name="ecomUserDetailsService")
protected UserDetailsService userDetailsService;
@Resource(name="blPasswordEncoder")
protected PasswordEncoder passwordEncoder;
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers("/css/**")
.antMatchers("/fonts/**")
.antMatchers("/img/**")
.antMatchers("/js/**")
.antMatchers("/**/"+assetServerUrlPrefixInternal+"/**")
.antMatchers("/favicon.ico");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
}
@Bean(name="blAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManager();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.headers().frameOptions().disable().and()
.sessionManagement()
//.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.sessionFixation()
.none()
.enableSessionUrlRewriting(false)
.and()
.formLogin()
.permitAll()
.successHandler(successHandler)
.failureHandler(failureHandler)
.loginPage("/login")
.loginProcessingUrl("/login_post.htm")
.failureUrl("/login/failure")
.and()
.authorizeRequests()
.antMatchers("/account/wishlist/**", "/account/**","/checkout/**","/wallet")
.access("isAuthenticated()")
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("ActiveID")
.logoutUrl("/logout")
.logoutSuccessUrl("/logout/success")
.and()
//.addFilterAfter(checkoutSecurityFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(securityFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(sessionFixationProtectionFilter, SessionManagementFilter.class);
}
/**
* Don't allow the auto registration of the filter for the main request flow. This filter should be limited
* to the spring security chain.
*
* @param filter the Filter instance to disable in the main flow
* @return the registration bean that designates the filter as being disabled in the main flow
*/
@Bean
@DependsOn("blCacheManager")
public FilterRegistrationBean blCsrfFilterFilterRegistrationBean(@Qualifier("blCsrfFilter") SecurityFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
/**
* Don't allow the auto registration of the filter for the main request flow. This filter should be limited
* to the spring security chain.
*
* @param filter the Filter instance to disable in the main flow
* @return the registration bean that designates the filter as being disabled in the main flow
*/
@Bean
public FilterRegistrationBean blSessionFixationProtectionFilterFilterRegistrationBean(@Qualifier("blSessionFixationProtectionFilter") SessionFixationProtectionFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
}
Can you tell me what i am missing.
Thanks in advance
Updates: In my local(localhost) its working fine and when i move this to aws instance(xx.xxx.xx.xx) server.this error is coming.Anybody knows why its happening.
In your HTML template, use
<blc:form>instead of a normal<form>and the XSRF token will be added to the form automatically.