我遇到了 spring security 的问题,其中响应 cookie 生成了两次,即
Set-Cookie: XSRF-TOKEN=cf2c22be-2ea1-4a1e-a6e7-36b4090c6548;路径=/服务;仅限HTTP 设置 Cookie:XSRF-TOKEN=cf2c22be-2ea1-4a1e-a6e7-36b4090c6548;路径=/ 我在谷歌上搜索了这个问题的任何解决方案,我看到了这篇帖子,有些人对此发表了评论:
https://github.com/spring-projects/spring-security/issues/11164
这会导致问题,因为浏览器正在使用具有默认路径的 cookie,而不是我希望浏览器使用的那个。即第一个。我像这样自定义 cookie 存储库没有效果,因为浏览器选择了最后一个 cookie,而不是我的!!!! 我的spring boot版本是2.7.3.
private CookieServerCsrfTokenRepository csrfTokenRepository() {
CookieServerCsrfTokenRepository repository = new CookieServerCsrfTokenRepository();
repository.setCookiePath( "/services" );
return repository;
}
这就是我配置 spring security 的方式
@Bean
public SecurityWebFilterChain springSecurityFilterChain( ServerHttpSecurity http ) {
// @formatter:off
http
.securityMatcher(new NegatedServerWebExchangeMatcher(new OrServerWebExchangeMatcher(
pathMatchers("/app/**", "/_app/**", "/i18n/**", "/img/**", "/content/**", "/swagger-ui/**", "/v3/api-docs/**", "/test/**"), pathMatchers(HttpMethod.OPTIONS, "/**"))))
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
// See https://github.com/spring-projects/spring-security/issues/5766.addFilterAt(new CookieCsrfFilter(), SecurityWebFiltersOrder.REACTOR_CONTEXT)
.addFilterAt(new CookieCsrfFilter(), SecurityWebFiltersOrder.REACTOR_CONTEXT)
.addFilterBefore(corsWebFilter, SecurityWebFiltersOrder.REACTOR_CONTEXT)
.exceptionHandling()
.accessDeniedHandler(problemSupport)
.authenticationEntryPoint(problemSupport)
.and()
.headers()
.contentSecurityPolicy(jHipsterProperties.getSecurity().getContentSecurityPolicy())
.and()
.referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
.and()
.permissionsPolicy().policy("camera=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=()")
.and()
.frameOptions().mode(Mode.DENY)
.and()
.authorizeExchange()
.pathMatchers("/api/authenticate").permitAll()
.pathMatchers("/api/auth-info").permitAll()
.pathMatchers("/api/admin/**").hasAuthority(AuthoritiesConstants.ADMIN)
.pathMatchers("/api/**").authenticated()
// microfrontend resources are loaded by webpack without authentication, they need to be public
.pathMatchers("/services/*/*.js").permitAll()
.pathMatchers("/services/*/*.js.map").permitAll()
.pathMatchers(HttpMethod.GET, "/services/tradelist/api/v1/public/trade/**").permitAll()
.pathMatchers( "/services/banklookup/api/v1/public/bankinfo/**").permitAll()
.pathMatchers( HttpMethod.GET, "/services/addresslookup/api/v1/public/addresses/*" ).permitAll()
.pathMatchers("/services/*/v3/api-docs").hasAuthority(AuthoritiesConstants.ADMIN)
.pathMatchers("/services/**").authenticated()
.pathMatchers("/management/health").permitAll()
.pathMatchers("/*****/health/**").permitAll()
.pathMatchers("/*****/info").permitAll()
.pathMatchers("/****/prometheus").permitAll()
.pathMatchers("/****/**").hasAuthority(AuthoritiesConstants.ADMIN);
http.oauth2Login(oauth2 -> oauth2.authorizationRequestResolver(authorizationRequestResolver(this.clientRegistrationRepository)))
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(jwtAuthenticationConverter());
http.oauth2Client();
// @formatter:on
return http.build();
}
请你告诉我我做错了什么,因为这会带来一个问题,即无法自定义 csrftokenrepository。
非常感谢您的帮助。