ajax - Ajax GET 请求后表单提交失败（无效的 CSRF 令牌）。怎么修？

问题是我已经实现了一个自定义过滤器来删除每个请求的安全上下文。这是我使应用程序无状态的方式，正如我在这个软件工程 SE 答案中所记录的那样。这会删除（或重置？）服务器端 CSRF 令牌，因此它不会与表单中的令牌匹配，但是，自定义过滤器会在之后触发，CsrfFilter所以我之前从未遇到过表单提交问题。

在这种情况下，虽然我有在为客户端构建表单之后但在提交之前处理的 Ajax 请求，所以我的自定义过滤器的不幸副作用导致表单提交失败。

如果 URL 位于特定目录路径下，我通过修改自定义过滤器以跳过删除上下文来纠正它：

public class SecurityContextDeletingFilter extends GenericFilterBean {

    RequestMatcher exceptedPaths = new AntPathRequestMatcher("/form-ajax/**");

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpSession session = request.getSession();

        if( exceptedPaths.matches(request)) {
            // Deleting the security context deletes the CSRF token in the session. We want to make sure this
            // does NOT occur if the user is in a form and is using Ajax features like the geocode lookup,
            // because they'll need the server to recognize the token on eventual form submission.
            logger.trace("Skipping this filter for a /form-ajax/ endpoint.");
        } else {
            if( session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY) != null ) {
                session.removeAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
            }
        }

        filterChain.doFilter(servletRequest,servletResponse);
    }
}