Java Spring Security CSRF支持手动安全配置_Java_Spring Security_Csrf

Java Spring Security CSRF支持手动安全配置

java spring-security

Java Spring Security CSRF支持手动安全配置,java,spring-security,csrf,Java,Spring Security,Csrf,我正在处理一个复杂的手动安全配置（Spring3.4，SpringSecurity 3.2）。过滤器链已通过httpSessionContextIntegrationFilter和我们配置的其他bean手动配置 <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map path-type="ant" r

我正在处理一个复杂的手动安全配置（Spring3.4，SpringSecurity 3.2）。过滤器链已通过

httpSessionContextIntegrationFilter

和我们配置的其他bean手动配置

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <security:filter-chain-map path-type="ant" request-matcher="ant">
        <security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter, ... beans ...,filterInvocationInterceptor"/>
    </security:filter-chain-map>
</bean>

我在应用程序上下文中声明了bean

，但在创建应用程序上下文时从未调用WebSecurityConfigureAdapter.configure方法

如何在此处添加CSRF保护？我也需要手动插入CSRFFilter吗？

如果它回答了您的问题，则从中提取

import my.filter.CsrfTokenGeneratorFilter;
import org.springframework.security.web.csrf.CsrfFilter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.addFilterAfter(new CsrfTokenGeneratorFilter(), CsrfFilter.class);
        }

}

/**
 * Filter which adds CSRF information as response headers.
 *
 * @author Patrick Grimard
 * @since 12/31/2013 4:48 PM
 */
public final class CsrfTokenGeneratorFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        CsrfToken token = (CsrfToken) request.getAttribute("_csrf");

        // Spring Security will allow the Token to be included in this header name
        response.setHeader("X-CSRF-HEADER", token.getHeaderName());

        // Spring Security will allow the token to be included in this parameter name
        response.setHeader("X-CSRF-PARAM", token.getParameterName());

        // this is the value of the token to be included as either a header or an HTTP parameter
        response.setHeader("X-CSRF-TOKEN", token.getToken());

        filterChain.doFilter(request, response);
    }
}

import my.filter.CsrfTokenGeneratorFilter;
import org.springframework.security.web.csrf.CsrfFilter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.addFilterAfter(new CsrfTokenGeneratorFilter(), CsrfFilter.class);
        }

}

/**
 * Filter which adds CSRF information as response headers.
 *
 * @author Patrick Grimard
 * @since 12/31/2013 4:48 PM
 */
public final class CsrfTokenGeneratorFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
        CsrfToken token = (CsrfToken) request.getAttribute("_csrf");

        // Spring Security will allow the Token to be included in this header name
        response.setHeader("X-CSRF-HEADER", token.getHeaderName());

        // Spring Security will allow the token to be included in this parameter name
        response.setHeader("X-CSRF-PARAM", token.getParameterName());

        // this is the value of the token to be included as either a header or an HTTP parameter
        response.setHeader("X-CSRF-TOKEN", token.getToken());

        filterChain.doFilter(request, response);
    }
}