Spring security 弹簧启动执行器禁用csrf_Spring Security_Csrf_Spring Boot Actuator

Spring security 弹簧启动执行器禁用csrf

spring-security

Spring security 弹簧启动执行器禁用csrf,spring-security,csrf,spring-boot-actuator,Spring Security,Csrf,Spring Boot Actuator,我使用了不同端口的弹簧启动执行器，如下所示 server.port=8080 management.port=8989 在应用程序中，我想使用enable csrf=true，但我不想在执行器端口中使用csrf。因为我想对jolokia使用批量POST请求仅排除执行器不智能 http.csrf().ignoringAntMatchers("/actuator/**"); 下面的属性对我很好（btmanagement.security.enable csrf不存在）有什么好的解决方案吗？因

我使用了不同端口的弹簧启动执行器，如下所示

server.port=8080
management.port=8989

在应用程序中，我想使用

enable csrf=true

，但我不想在执行器端口中使用

csrf

。因为我想对jolokia使用批量POST请求

仅排除执行器不智能

http.csrf().ignoringAntMatchers("/actuator/**");

下面的属性对我很好（bt

management.security.enable csrf

不存在）

有什么好的解决方案吗？

因为您有一个不同的管理端口，您只需为此禁用CSRF即可：

@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
        return new AndRequestMatcher(requestMatchers);
    }

    private static RequestMatcher not(RequestMatcher requestMatcher) {
        return new NegatedRequestMatcher(requestMatcher);
    }

    private final ManagementServerProperties managementServerProperties;

    public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
        this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().requireCsrfProtectionMatcher(
                allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
        // other configuration
    }

    private RequestMatcher accessingManagementPort() {
        return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
    }

}

我知道你想做什么，这有点棘手。。。

@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
        return new AndRequestMatcher(requestMatchers);
    }

    private static RequestMatcher not(RequestMatcher requestMatcher) {
        return new NegatedRequestMatcher(requestMatcher);
    }

    private final ManagementServerProperties managementServerProperties;

    public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
        this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().requireCsrfProtectionMatcher(
                allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
        // other configuration
    }

    private RequestMatcher accessingManagementPort() {
        return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
    }

}