Spring security 弹簧启动执行器禁用csrf
我使用了不同端口的弹簧启动执行器,如下所示Spring security 弹簧启动执行器禁用csrf,spring-security,csrf,spring-boot-actuator,Spring Security,Csrf,Spring Boot Actuator,我使用了不同端口的弹簧启动执行器,如下所示 server.port=8080 management.port=8989 在应用程序中,我想使用enable csrf=true,但我不想在执行器端口中使用csrf。因为我想对jolokia使用批量POST请求 仅排除执行器不智能 http.csrf().ignoringAntMatchers("/actuator/**"); 下面的属性对我很好(btmanagement.security.enable csrf不存在) 有什么好的解决方案吗?因
server.port=8080
management.port=8989
在应用程序中,我想使用enable csrf=true
,但我不想在执行器端口中使用csrf
。因为我想对jolokia使用批量POST请求
仅排除执行器不智能
http.csrf().ignoringAntMatchers("/actuator/**");
下面的属性对我很好(btmanagement.security.enable csrf
不存在)
有什么好的解决方案吗?因为您有一个不同的管理端口,您只需为此禁用CSRF即可:
@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
return new AndRequestMatcher(requestMatchers);
}
private static RequestMatcher not(RequestMatcher requestMatcher) {
return new NegatedRequestMatcher(requestMatcher);
}
private final ManagementServerProperties managementServerProperties;
public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(
allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
// other configuration
}
private RequestMatcher accessingManagementPort() {
return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
}
}
我知道你想做什么,这有点棘手。。。
@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
return new AndRequestMatcher(requestMatchers);
}
private static RequestMatcher not(RequestMatcher requestMatcher) {
return new NegatedRequestMatcher(requestMatcher);
}
private final ManagementServerProperties managementServerProperties;
public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(
allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
// other configuration
}
private RequestMatcher accessingManagementPort() {
return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
}
}