Java 无法在Spring Boot中禁用CSRF安全性
我想用这些值从Ruby代码发送http请求,但每次CSRF验证失败时: http://some_domain.com?key=value&t5052&key=value&key=value 我有这个Spring配置:Java 无法在Spring Boot中禁用CSRF安全性,java,spring,spring-boot,spring-security,csrf,Java,Spring,Spring Boot,Spring Security,Csrf,我想用这些值从Ruby代码发送http请求,但每次CSRF验证失败时: http://some_domain.com?key=value&t5052&key=value&key=value 我有这个Spring配置: <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.6.RELEASE</version>
</parent>
....
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
终点:
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, value = "/v1/notification")
public ResponseEntity<String> handleNotifications(@RequestBody MultiValueMap<String, Object> keyValuePairs) {
.....
return new ResponseEntity<>(HttpStatus.OK);
}
POM配置:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.6.RELEASE</version>
</parent>
....
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
你知道我如何解决这个问题吗?我是否可以在Spring中仅为/notification禁用此CSRF检查?可能是因为代码super.configurehttp;失踪 此代码适用于我的电脑: @启用Web安全性 @配置 类应用程序安全配置扩展了WebSecurity配置适配器{ @豆子 UserDetails服务MyUserDetails服务{ 返回新的UserDetailsService{ @凌驾 public UserDetails loadUserByUsernameString用户名抛出UsernameNotFoundException{ UserDetails UserDetails=null; 试一试{ userDetails=newuseradmin、admin、getAuthorities; }捕获异常e{ e、 打印跟踪; } 返回用户详细信息; } 私人收藏机构{ List authList=新建ArrayList; authList.addnew SimpleGrantedAuthorityROLE_用户; authList.addnew SimpleGrantedAuthorityROLE_ADMIN; 返回authList; } }; } @凌驾 受保护的void configureHttpSecurity http引发异常{ super.configurehttp; http.csrf.disable; } } 我可以找到登录页面将添加的标签
如果我评论http.csrf.disable 我不知道您的项目结构,但似乎ApplicationSecurity配置未扫描到applicationContext中,因此http.csrf.disable;可能不会执行。建议您调试程序以检查它是否执行。@WangKenneth好的,这是一个可能的想法。当我为应该在日志中搜索的字符串启用调试时?仅csrf?只需在http.csrf.disable上设置断点;或在http.csrf.disable后添加日志语句;到check@WangKenneth看起来已经扫描并找到了:antMatchers/通知正确吗??控制器上的路径是/v1/notificationsuper.configurehttp;的用途是什么;?我在互联网上发现了许多使用它的代码示例,但我找不到为什么使用它?@PeterPenzov super.configurehttp是调用超级类方法的,所以这里是WebSecurityConfigurerAdapter.configure,您可以看到它的代码,知道这个方法做了什么。一般来说,它与您的方法非常相似,比如http.httpBasic、authorizeRequests等,但它并不完全相似,所以您可以了解您需要什么missed@PeterPenzov如果您不想在过度使用超类方法时调用它,您应该确保超级类方法中的代码确实不需要。它可能与依赖项冲突。为什么不使用spring boot starter security?我更喜欢spring security。我如何才能发现是否存在任何冲突?
@Configuration
@EnableWebSecurity
@Import(value = { Application.class, ContextDatasource.class })
@ComponentScan(basePackages = { "org.rest.api.server.*" })
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthEntryPoint authenticationEntryPoint;
@Autowired
MerchantAuthService myUserDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(myUserDetailsService);
auth.authenticationProvider(authenticationProvider());
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(myUserDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/notification").permitAll().anyRequest().permitAll();
http.httpBasic().authenticationEntryPoint(authenticationEntryPoint);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.csrf().disable();
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.6.RELEASE</version>
</parent>
....
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>