Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/lua/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java 无法在Spring Boot中禁用CSRF安全性_Java_Spring_Spring Boot_Spring Security_Csrf - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java 无法在Spring Boot中禁用CSRF安全性

Java 无法在Spring Boot中禁用CSRF安全性

java spring spring-boot spring-security

Java 无法在Spring Boot中禁用CSRF安全性,java,spring,spring-boot,spring-security,csrf,Java,Spring,Spring Boot,Spring Security,Csrf,我想用这些值从Ruby代码发送http请求,但每次CSRF验证失败时: http://some_domain.com?key=value&t5052&key=value&key=value 我有这个Spring配置: <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <

我想用这些值从Ruby代码发送http请求,但每次CSRF验证失败时:

http://some_domain.com?key=value&t5052&key=value&key=value

我有这个Spring配置:

<parent>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-parent</artifactId>
 <version>2.1.6.RELEASE</version>
</parent>
....
<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-web</artifactId>
</dependency>
终点:

@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/v1/notification")
  public ResponseEntity<String> handleNotifications(@RequestBody MultiValueMap<String, Object> keyValuePairs) {
     .....
    return new ResponseEntity<>(HttpStatus.OK);
  }
POM配置:

<parent>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-parent</artifactId>
 <version>2.1.6.RELEASE</version>
</parent>
....
<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-web</artifactId>
</dependency>
你知道我如何解决这个问题吗?我是否可以在Spring中仅为/notification禁用此CSRF检查?

可能是因为代码super.configurehttp;失踪

此代码适用于我的电脑:

@启用Web安全性 @配置 类应用程序安全配置扩展了WebSecurity配置适配器{ @豆子 UserDetails服务MyUserDetails服务{ 返回新的UserDetailsService{ @凌驾 public UserDetails loadUserByUsernameString用户名抛出UsernameNotFoundException{ UserDetails UserDetails=null; 试一试{ userDetails=newuseradmin、admin、getAuthorities; }捕获异常e{ e、 打印跟踪; } 返回用户详细信息; } 私人收藏机构{ List authList=新建ArrayList; authList.addnew SimpleGrantedAuthorityROLE_用户; authList.addnew SimpleGrantedAuthorityROLE_ADMIN; 返回authList; } }; } @凌驾 受保护的void configureHttpSecurity http引发异常{ super.configurehttp; http.csrf.disable; } } 我可以找到登录页面将添加的标签

如果我评论http.csrf.disable

我不知道您的项目结构,但似乎ApplicationSecurity配置未扫描到applicationContext中,因此http.csrf.disable;可能不会执行。建议您调试程序以检查它是否执行。@WangKenneth好的,这是一个可能的想法。当我为应该在日志中搜索的字符串启用调试时?仅csrf?只需在http.csrf.disable上设置断点;或在http.csrf.disable后添加日志语句;到check@WangKenneth看起来已经扫描并找到了:antMatchers/通知正确吗??控制器上的路径是/v1/notificationsuper.configurehttp;的用途是什么;?我在互联网上发现了许多使用它的代码示例,但我找不到为什么使用它?@PeterPenzov super.configurehttp是调用超级类方法的,所以这里是WebSecurityConfigurerAdapter.configure,您可以看到它的代码,知道这个方法做了什么。一般来说,它与您的方法非常相似,比如http.httpBasic、authorizeRequests等,但它并不完全相似,所以您可以了解您需要什么missed@PeterPenzov如果您不想在过度使用超类方法时调用它,您应该确保超级类方法中的代码确实不需要。它可能与依赖项冲突。为什么不使用spring boot starter security?我更喜欢spring security。我如何才能发现是否存在任何冲突? 
@Configuration
@EnableWebSecurity
@Import(value = { Application.class, ContextDatasource.class })
@ComponentScan(basePackages = { "org.rest.api.server.*" })
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private RestAuthEntryPoint authenticationEntryPoint;

    @Autowired
    MerchantAuthService myUserDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(myUserDetailsService);
        auth.authenticationProvider(authenticationProvider());
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(myUserDetailsService);
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/notification").permitAll().anyRequest().permitAll();
        http.httpBasic().authenticationEntryPoint(authenticationEntryPoint);
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.csrf().disable();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return NoOpPasswordEncoder.getInstance();
    }
}

<parent>
 <groupId>org.springframework.boot</groupId>
 <artifactId>spring-boot-starter-parent</artifactId>
 <version>2.1.6.RELEASE</version>
</parent>
....
<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
 <groupId>org.springframework.security</groupId>
 <artifactId>spring-security-web</artifactId>
</dependency>