java - Spring 安全: activating csrf disables/logout

Question

我正在尝试启用 csrf 保护，但仅限登录页面。我添加了以下 spring security 配置(<http> 标签已经存在)

<http ... >
  <sec:csrf request-matcher-ref="myBean" />
  ...
</http>

<bean id="myBean" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
  <constructor-arg name="pattern" value="/login"/>
  <constructor-arg name="httpMethod" value="POST"/>
</bean>

现在登录页面确实具有csrf保护。然而，由于一个奇怪的原因，/logout现在给出 404 错误。事实上，如果我替换 /login与 /foobar ，我在/logout 上仍然出现 404 错误。但如果我添加 disabled="true"在 <sec:csrf/>标签，它又可以工作了。

知道为什么吗？

谢谢

Answer 1

如果启用了 csrf，POST 请求将执行注销，如本问题所述。也许这个( Logout is not working in Spring Security )可以提供帮助。

在 https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#servlet-considerations-csrf-logout据说:

If CSRF protection is enabled (default), Spring Security’s LogoutFilter to only process HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users. The easiest approach is to use a form to log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.

本节还说明了如何执行 HTTP GET 请求来注销，尽管通常不建议这样做。