Spring security 春云门柱禁
我使用RelayToken筛选器在云网关路由后面提供资源服务:Spring security 春云门柱禁,spring-security,cross-domain,csrf,spring-cloud-gateway,Spring Security,Cross Domain,Csrf,Spring Cloud Gateway,我使用RelayToken筛选器在云网关路由后面提供资源服务: routes: - id: apis uri: http://rest-app:8080/apis predicates: - Path=/apis/** filters: - TokenRelay= GET请求工作正常,但在帖子中我得到403禁止,回复正文包含 CSRF令牌已关联到此客户端 我已
routes:
- id: apis
uri: http://rest-app:8080/apis
predicates:
- Path=/apis/**
filters:
- TokenRelay=
GET请求工作正常,但在帖子中我得到403禁止,回复正文包含
CSRF令牌已关联到此客户端
我已尝试禁用CSRF保护添加Bean
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.csrf().disable().cors().disable().build()
}
但这没有效果,我仍然得到403。此外,我无法调试哪个过滤器阻止客户端执行POST请求,这是我获得的唯一日志信息
logging:
level:
root: INFO
org.springframework.web: TRACE
org.springframework.security: TRACE
org.springframework.security.oauth2: TRACE
org.springframework.cloud.gateway: TRACE
org.springframework.security.jwt: TRACE
只是几句话说这是禁止张贴的
[2020-04-01 13:21:32,635] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] HTTP POST "/apis/", headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] Completed 403 FORBIDDEN, headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.h.s.r.ReactorHttpHandlerAdapter - [58a0e540-10] Handling completed
如何正确关闭CSRF?正确的安全WebFilterChain解决了我的问题:
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http
.authorizeExchange().anyExchange().authenticated()
.and()
.oauth2Login()
.and()
.csrf().disable()
.build()
}
我也面临同样的问题。我的网关不会登录,但会期望消费者在请求中发送承载jwt令牌。http.csrf.disable()在eclipse(http)中对我有效,但当在ocp4/docker(https)中部署相同的应用程序时,它的解决方案就不起作用了。