禁用了春季安全性csrf,仍然找到了无效的CSRF令牌

问题描述 投票:0回答:1

我在csrf中遇到问题,即使在春季配置中已将其禁用。我的日志输出如下:

Invalid CSRF token found for http://localhost:8080/exercise/

我有这个弹簧配置

    protected void configure(HttpSecurity http)throws Exception {
    http.csrf().disable();
    http
            .httpBasic()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/user/add").hasRole("ADMIN")
            .antMatchers(HttpMethod.POST).hasAnyRole("ADMIN", "TRAINER")
            .antMatchers(HttpMethod.DELETE).hasAnyRole("ADMIN", "TRAINER")
            .antMatchers(HttpMethod.GET).permitAll()
            .antMatchers(HttpMethod.PUT).permitAll()
            .antMatchers(HttpMethod.HEAD).permitAll()
            .antMatchers("/register/").authenticated()
            .and()
            .exceptionHandling()
            .and()
            .formLogin()
            .permitAll()
            .and()
            .logout()
            .permitAll();
   }

似乎我已通过身份验证和授权,因为日志输出:

Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@1ddb0b4b: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1ddb0b4b: Principal: com.brevisfit.api.model.user.User[ iduser=1 ]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_TRAINER'

我对POST \ DELETE \ PUT请求有问题,因为它们引发了403响应,据我了解,该响应来自CsrfFilter.class

if (!csrfToken.getToken().equals(actualToken)) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Invalid CSRF token found for "
                        + UrlUtils.buildFullRequestUrl(request));
            }

对于请求,我正在使用邮递员。

java spring spring-boot csrf
1个回答
0
投票

您的AuthenticationBuilder应该是@Autowired。

@Autowired
    protected void configure(AuthenticationManagerBuilder auth) {
        auth.authenticationProvider(authenticationProvider());

    }

See this

© www.soinside.com 2019 - 2024. All rights reserved.