ository捕获安全性requireCsrfProtectio

ository捕获安全性requireCsrfProtectio

本文介绍了使用csrfTokenRepository捕获安全性requireCsrfProtectionMatcher的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试禁用特定URL的Csrf。这是我到目前为止所做的:

I am trying to disable Csrf for specific url. here is what i have done so far:

public HttpSessionCsrfTokenRepository csrfTokenRepository() {
    final HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();
    tokenRepository.setHeaderName("X-XSRF-TOKEN");
    return tokenRepository;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    RequestMatcher matcher = request -> !("//j_spring_cas_security_check".equals(request.getRequestURI()));
    http.csrf()
            .requireCsrfProtectionMatcher(matcher)
            .csrfTokenRepository(csrfTokenRepository());

如果我注释掉 requireCsrfProtectionMatcher 或只是返回在所有匹配器中都为false,不会有任何错误,但是使用此配置,它会给我:

If i comment out requireCsrfProtectionMatcher or simply return false in all matchers there will be no errors, but with this config it gives me:

HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.

我需要在 j_spring_cas_security_check 上禁用csrf单次退出有效,并且 tokenRepository 可以与angularjs一起使用。我缺少什么吗?

I need to disable csrf on j_spring_cas_security_check so that single sign out works and tokenRepository to work with angularjs. Is there anything i am missing?

推荐答案

如果您没有将任何内容传递给 requireCsrfProtectionMatcher ,默认行为是绕过所有GET请求。显式提供新内容时,该行为将丢失,您还将检查GET请求。将代码更改为以下代码,以允许GET请求。

If you don't pass anything to requireCsrfProtectionMatcher, the default behaviour is to bypass all GET requests. The moment explicitly provide a new one, the behaviour is lost and you will check requests for GET as well. Change the code to following to allow GET requests.

public class CsrfRequestMatcher implements RequestMatcher {

    // Always allow the HTTP GET method
    private Pattern allowedMethods = Pattern.compile("^GET$");

    @Override
    public boolean matches(HttpServletRequest request) {

        if (allowedMethods.matcher(request.getMethod()).matches()) {
            return false;
        }

        // Your logic goes here


        return true;
    }

}

这篇关于使用csrfTokenRepository捕获安全性requireCsrfProtectionMatcher的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-22 20:17