Java 过滤器在使用中禁用后仍会过滤柱
由于play和Http过滤器出现问题,我使用了几种方法来禁用它,但它一直声称过滤器已启用。 有没有其他我没有尝试过的方法来破坏它 这是我的application.conf文件Java 过滤器在使用中禁用后仍会过滤柱,java,scala,playframework,http-headers,Java,Scala,Playframework,Http Headers,由于play和Http过滤器出现问题,我使用了几种方法来禁用它,但它一直声称过滤器已启用。 有没有其他我没有尝试过的方法来破坏它 这是我的application.conf文件 play.filters { # Enabled filters are run automatically against Play. # CSRFFilter, AllowedHostFilters, and SecurityHeadersFilters are enabled by default.
play.filters {
# Enabled filters are run automatically against Play.
# CSRFFilter, AllowedHostFilters, and SecurityHeadersFilters are enabled by default.
#enabled += filters.ExampleFilter
# Disabled filters remove elements from the enabled list.
disabled += filters.ExampleFilter
## CORS filter configuration
# https://www.playframework.com/documentation/latest/CorsFilter
# ~~~~~
# CORS is a protocol that allows web applications to make requests from the browser
# across different domains.
# NOTE: You MUST apply the CORS configuration before the CSRF filter, as CSRF has
# dependencies on CORS settings.
cors {
# Filter paths by a whitelist of path prefixes
#pathPrefixes = ["/some/path", ...]
# The allowed origins. If null, all origins are allowed.
allowedOrigins = null
# ["http://www.example.com"]
# The allowed HTTP methods. If null, all methods are allowed
#allowedHttpMethods = ["GET", "POST"]
play.filters.disabled += "play.filters.cors.CORSFilter"
}
## CSRF Filter
# https://www.playframework.com/documentation/latest/ScalaCsrf#Applying-a-global-CSRF-filter
# https://www.playframework.com/documentation/latest/JavaCsrf#Applying-a-global-CSRF-filter
# ~~~~~
# Play supports multiple methods for verifying that a request is not a CSRF request.
# The primary mechanism is a CSRF token. This token gets placed either in the query string
# or body of every form submitted, and also gets placed in the users session.
# Play then verifies that both tokens are present and match.
csrf {
# Sets the cookie to be sent only over HTTPS
#cookie.secure = true
# Defaults to CSRFErrorHandler in the root package.
#errorHandler = MyCSRFErrorHandler
play.filters.disabled += "play.filters.csrf.CSRFFilter"
}
play.filters.disabled += "play.filters.hosts.AllowedHostsFilter"
play.filters.enabled=[]
## Security headers filter configuration
# https://www.playframework.com/documentation/latest/SecurityHeaders
# ~~~~~
# Defines security headers that prevent XSS attacks.
# If enabled, then all options are set to the below configuration by default:
headers {
# The X-Frame-Options header. If null, the header is not set.
#frameOptions = "DENY"
# The X-XSS-Protection header. If null, the header is not set.
#xssProtection = "1; mode=block"
# The X-Content-Type-Options header. If null, the header is not set.
#contentTypeOptions = "nosniff"
# The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
#permittedCrossDomainPolicies = "master-only"
# The Content-Security-Policy header. If null, the header is not set.
#contentSecurityPolicy = "default-src 'self'"
}
我甚至在路由顶部禁用了它:这是路由文件:
GET / controllers.ShopController.index
+ nocsrf
GET /products controllers.ShopController.listOfProducts()
+ nocsrf
GET /products/new controllers.ShopController.createNewProduct()
+ nocsrf
POST /products/new controllers.ShopController.saveProduct()
# An example controller showing how to use dependency injection
GET /count controllers.CountController.count
# An example controller showing how to write asynchronous code
GET /message controllers.AsyncController.message
# Map static resources from the /public folder to the /assets URL path
GET /assets/*file controllers.Assets.versioned(path="/public", file: Asset)
这是stacktrace::
info] application - ApplicationTimer demo: Stopping application at 2018-05-28T00:46:22.634Z after 245s.
[info] application - Shutting down connection pool.
[info] application - Creating Pool for datasource 'default'
[info] p.a.d.DefaultDBApi - Database [default] connected at jdbc:h2:mem:play
[info] application - ApplicationTimer demo: Starting application at 2018-05-28T00:46:23.076Z
[warn] o.h.v.m.ParameterMessageInterpolator - HV000184: ParameterMessageInterpolator has been chosen, EL interpolation will not be supported
[info] p.a.h.EnabledFilters - Enabled Filters (see <https://www.playframework.com/documentation/latest/Filters>):
play.filters.csrf.CSRFFilter
play.filters.headers.SecurityHeadersFilter
play.filters.hosts.AllowedHostsFilter
[info] play.api.Play - Application started (Dev)
info]应用程序-应用程序计时器演示:在2018-05-28500:46:22.634Z的245s后停止应用程序。
[信息]应用程序-关闭连接池。
[信息]应用程序-为数据源“默认”创建池
[信息]p.a.d.DefaultDBApi-数据库[默认]连接在jdbc:h2:mem:play
[信息]应用程序-应用程序计时器演示:在2018-05-28800:46:23.076Z开始应用程序
[警告]o.h.v.m.ParameterMessageInterpolator-HV000184:已选择ParameterMessageInterpolator,将不支持EL插值
[信息]p.a.h.启用过滤器-启用过滤器(请参阅):
play.filters.csrf.CSRFFilter
play.filters.headers.SecurityHeadersFilter
play.filters.hosts.AllowedHostsFilter
[信息]play.api.play-应用程序已启动(开发人员)
我不明白为什么它没有禁用、重新编译甚至重新启动sbt…非常感谢您的帮助…谢谢。您似乎使用了play
seed
模板来开发您的play应用程序。您可以从application.conf
中删除所有内容,然后在此基础上进行构建;因为它涉及到游戏的不同方面。您甚至可以在整个application.conf
中包含以下关于过滤器的内容:
play.filters.disabled += "play.filters.csrf.CSRFFilter"
play.filters.disabled += "play.filters.headers.SecurityHeadersFilter"
play.filters.disabled += "play.filters.hosts.AllowedHostsFilter"
play.filters.disabled += "filters.ExampleFilter"
另外,为了获得更清晰的代码,请去掉所有与过滤器相关的类,因为您不需要/不使用它们。然后,执行清理/编译/运行以查看结果:
sbt clean compile run
谢谢你的回复;我照你的建议做了,但还是得到了同样的错误。同样的错误,就像我在堆栈跟踪中写的一样。@salkthesulker我在堆栈跟踪中没有看到任何错误,你有一个警告
,其余的是信息
。你说的是什么错误?好吧,也许我应该更清楚,这不是一个特别的错误;问题是我想发出POST请求,但play Http筛选器:play.filters.csrf.CSRFFilter play.filters.headers.SecurityHeadersFilter play.filters.hosts.allowedhosts筛选器此筛选器正在过滤掉POST请求,不允许请求;所以我想禁用这些过滤器,以便以后添加它们,我仍处于测试阶段,所以我只需要运行代码,而不需要过滤掉。出于安全原因,play实际上是正确的,但我现在不需要过滤器。@salkthesulker只是简单地禁用所有过滤器,并更新了答案。希望能有帮助。