gpt4 book ai didi

java - 如何在 spring boot 项目中忽略特定 URL 的 spring security CSRF

转载 作者:行者123 更新时间:2023-12-05 01:01:56 25 4
gpt4 key购买 nike

如何忽略特定 URL 的 CSRF 安全性,例如“/workflow/**”。除了这个 URL,我需要所有 URL 和方法的授权和 CSRF 安全。

@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;

@Autowired
private RESTAuthenticationFailureHandler authenticationFailureHandler;

@Autowired
private RESTAuthenticationSuccessHandler authenticationSuccessHandler;

@Autowired
private PranaUserDetailsService userDetailsService;

@Override
protected void configure(HttpSecurity http) throws Exception {

http.csrf().requireCsrfProtectionMatcher(new AllExceptUrlStartedWith("/workflow"))
.and().authorizeRequests()
.antMatchers("/rest/**", "/tasklist").authenticated()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/index.html")
.and().exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)
.and().formLogin().successHandler(authenticationSuccessHandler)
.and().formLogin().failureHandler(authenticationFailureHandler)
.and().csrf().csrfTokenRepository(csrfTokenRepository()).and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class);
}

private static class AllExceptUrlStartedWith implements RequestMatcher {

private static final String[] ALLOWED_METHODS =
new String[] {"GET"};

private final String[] allowedUrls;

public AllExceptUrlStartedWith(String... allowedUrls) {
this.allowedUrls = allowedUrls;
}

@Override
public boolean matches(HttpServletRequest request) {
String method = request.getMethod();
for(String allowedMethod : ALLOWED_METHODS) {
if (allowedMethod.equals(method)) {
return false;
}
}

String uri = request.getRequestURI();
for (String allowedUrl : allowedUrls) {
if (uri.startsWith(allowedUrl)) {
return false;
}
}
return true;
}

}

private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}

@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/styles/**").antMatchers("/scripts/**");
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
}

如何忽略特定 URL 的 CSRF 安全性,例如“/workflow/**”。除了这个 URL,我需要所有 URL 和方法的授权和 CSRF 安全。

最佳答案

在我的项目中,我使用了以下代码:

@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
...
.csrf()
// Allow unsecured requests to H2 console
.requireCsrfProtectionMatcher(new AllExceptUrlsStartedWith("/console"))
...
}

private static class AllExceptUrlsStartedWith implements RequestMatcher {

private static final String[] ALLOWED_METHODS =
new String[] {"GET", "HEAD", "TRACE", "OPTIONS"};

private final String[] allowedUrls;

public AllExceptUrlsStartedWith(String... allowedUrls) {
this.allowedUrls = allowedUrls;
}

@Override
public boolean matches(HttpServletRequest request) {
// replicate default behavior (see CsrfFilter.DefaultRequiresCsrfMatcher class)
String method = request.getMethod();
for (String allowedMethod : ALLOWED_METHODS) {
if (allowedMethod.equals(method)) {
return false;
}
}

// apply our own exceptions
String uri = request.getRequestURI();
for (String allowedUrl : allowedUrls) {
if (uri.startsWith(allowedUrl)) {
return false;
}
}

return true;
}

}

在这个例子中,我为 /console 禁用了 CSRF 保护。


更新:since Spring Security 4.0 you can simplify it to a single line :

csrf()
.ignoringAntMatchers("/nocsrf","/ignore/startswith/**")

关于java - 如何在 spring boot 项目中忽略特定 URL 的 spring security CSRF,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32698808/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com