在Java WebSecurityConfigurerAdapter中禁用CSRF。春天的休息

问题描述 投票:0回答:1

我正在使用Spring和Tiles进行新的webapp。到目前为止,我有登录,创建/编辑用户工作。现在,我必须从使用json的第三个应用程序的Rest Controller开始。我只需要在其余的URL上禁用csrf。

我尝试使用spring <csrf disabled="true"/>中的XML并且它可以工作但是对于enthire应用程序是否有一种方法可以通过路径进行此配置,或者唯一的方法是通过Java将其写下来?:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }
}

这对我不起作用,我发现的每一个简单的例子都是一样的,似乎对除了我以外的每个人都有用,我做错了什么?

spring-security配置:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <http auto-config="true">
<!--        <csrf disabled="true"/>  -->
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/welcome" access="hasRole('ROLE_ADMIN')"/>
<!--        <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" access="ROLE_USER,ROLE_ADMIN"/> -->
        <intercept-url pattern="/administration/**" access="hasRole('ROLE_ADMIN')"/>
        <form-login login-page="/login" default-target-url="/" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" />
        <logout logout-success-url="/login?logout" />
    </http>


    <authentication-manager>
        <authentication-provider ref="CustomAuthenticationProvider" />
    </authentication-manager>
    <beans:bean id="CustomAuthenticationProvider"
        class="net.eqtconsulting.webapp.service.CustomAuthenticationProvider">
    </beans:bean>
    <beans:bean id="encoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
        <beans:constructor-arg name="strength" value="11" />
    </beans:bean>
</beans:beans>

我的春天mvc

<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/mvc 
        http://www.springframework.org/schema/mvc/spring-mvc.xsd 
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context
        http://www.springframework.org/schema/context/spring-context-3.0.xsd">

    <mvc:annotation-driven/>

    <mvc:resources mapping="/resources/**" location="/WEB-INF/resources/"/>

    <mvc:interceptors>
        <bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
            <property name="paramName" value="lang" />
        </bean>
    </mvc:interceptors>

    <bean id="localeResolver" class="org.springframework.web.servlet.i18n.CookieLocaleResolver">
        <property name="cookieName" value="locale" />
    </bean>
    <!-- Application Message Bundle -->
    <bean id="messageSource"
        class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
        <property name="basename" value="WEB-INF/i18n/messages" />
        <property name="fallbackToSystemLocale" value="false" />
        <property name="useCodeAsDefaultMessage" value="true" />
        <property name="cacheSeconds" value="3000" />
    </bean>

    <mvc:annotation-driven >
        <mvc:argument-resolvers>
            <bean class="org.springframework.data.web.PageableHandlerMethodArgumentResolver">
                <property name="maxPageSize" value="10"></property>
            </bean>
        </mvc:argument-resolvers>
    </mvc:annotation-driven>

    <context:component-scan base-package="com.javatpoint.controller" />
    <bean id="viewResolver" class="org.springframework.web.servlet.view.tiles3.TilesViewResolver" />
    <bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles3.TilesConfigurer">
        <property name="definitions">
            <list>
                <value>/WEB-INF/tiles.xml</value>
            </list>
        </property>
    </bean>
</beans>

我也想通过使用2个xml servlet来实现它,但是如何使弹簧安全工作,我可以使用另一个吗?

java spring rest csrf
1个回答
0
投票

添加到我的xml配置,工作得很好:

<http pattern="/rest/**" security="none" />

然后是标准应用程序的其他<http... </http>配置

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.