Java Spring Security CSRF支持手动安全配置
我正在处理一个复杂的手动安全配置(Spring3.4,SpringSecurity 3.2)。过滤器链已通过Java Spring Security CSRF支持手动安全配置,java,spring-security,csrf,Java,Spring Security,Csrf,我正在处理一个复杂的手动安全配置(Spring3.4,SpringSecurity 3.2)。过滤器链已通过httpSessionContextIntegrationFilter和我们配置的其他bean手动配置 <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <security:filter-chain-map path-type="ant" r
httpSessionContextIntegrationFilter
和我们配置的其他bean手动配置
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant" request-matcher="ant">
<security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter, ... beans ...,filterInvocationInterceptor"/>
</security:filter-chain-map>
</bean>
我在应用程序上下文中声明了bean
,但在创建应用程序上下文时从未调用WebSecurityConfigureAdapter.configure方法
如何在此处添加CSRF保护?我也需要手动插入CSRFFilter吗?如果它回答了您的问题,则从中提取
import my.filter.CsrfTokenGeneratorFilter;
import org.springframework.security.web.csrf.CsrfFilter;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterAfter(new CsrfTokenGeneratorFilter(), CsrfFilter.class);
}
}
/**
* Filter which adds CSRF information as response headers.
*
* @author Patrick Grimard
* @since 12/31/2013 4:48 PM
*/
public final class CsrfTokenGeneratorFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// Spring Security will allow the Token to be included in this header name
response.setHeader("X-CSRF-HEADER", token.getHeaderName());
// Spring Security will allow the token to be included in this parameter name
response.setHeader("X-CSRF-PARAM", token.getParameterName());
// this is the value of the token to be included as either a header or an HTTP parameter
response.setHeader("X-CSRF-TOKEN", token.getToken());
filterChain.doFilter(request, response);
}
}
import my.filter.CsrfTokenGeneratorFilter;
import org.springframework.security.web.csrf.CsrfFilter;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterAfter(new CsrfTokenGeneratorFilter(), CsrfFilter.class);
}
}
/**
* Filter which adds CSRF information as response headers.
*
* @author Patrick Grimard
* @since 12/31/2013 4:48 PM
*/
public final class CsrfTokenGeneratorFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// Spring Security will allow the Token to be included in this header name
response.setHeader("X-CSRF-HEADER", token.getHeaderName());
// Spring Security will allow the token to be included in this parameter name
response.setHeader("X-CSRF-PARAM", token.getParameterName());
// this is the value of the token to be included as either a header or an HTTP parameter
response.setHeader("X-CSRF-TOKEN", token.getToken());
filterChain.doFilter(request, response);
}
}