如何在Spring中使用application.properties禁用CSRF? [英] How to disable csrf in Spring using application.properties?
问题描述
存在以下属性:
security.enable-csrf=false
如果将属性添加到application.properties
,则csrf保护仍然处于启用状态.
BUT csrf protection is still on if I add the property to application.properties
.
起作用的是以编程方式禁用它.
What works is to disable it programatically.
但是我更喜欢属性配置.为什么它不起作用?
But I'd prefer properties configuration. Why could it not be working?
@Configuration
public class AuthConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.csrf().disable();
}
}
推荐答案
由于WebSecurityConfigurerAdapter
使用命令式方法,因此可以注入security.enable-csrf
变量的值,并在CSRF为false时禁用它.您是对的,我认为这应该可以立即使用.
As the WebSecurityConfigurerAdapter
uses an imperative approach you can inject the value of the security.enable-csrf
variable and disable CSRF when it be false. You are right, I think this should work out of the box.
@Configuration
public class AuthConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Value("${security.enable-csrf}")
private boolean csrfEnabled;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
if(!csrfEnabled)
{
http.csrf().disable();
}
}
}
我要做的是在我的 dev 弹簧配置文件处于活动状态时,在我的application.yml中将该变量设置为false,尽管您可以创建一个名为 nosecurity 的配置文件.出于这样的目的.大大简化了此过程:
What I did was to set that variable to false in my application.yml for when I had a dev spring profile active, although you could create a profile called nosecurity for such purposes too. It eases this process a lot:
--- application.yml ---
--- application.yml ---
# Production configuration
server:
port: ${server.web.port}
admin.email: ${admin.email}
#etc
---
spring:
profiles: dev
security.enable-csrf: false
#other Development configurations
我希望它能满足您的需求
I hope it suits your needs
基于 Spring Boot成员的评论此问题已在Spring的新版本中解决:我在版本1.5.2.RELEASE
中拥有它,但似乎在版本
Based on a comment of a Spring Boot member this issue is fixed on new versions of Spring: I had it on version 1.5.2.RELEASE
but it seems that in version 1.5.9.RELEASE (the latest stable one to the date before version 2) its already fixed and by default csrf is disabled and it can be enabled with security.enable_csrf: true
. Therefore a possible solution could be just upgrading to version 1.5.9.RELEASE
, before making a major one to version 2 where the architecture might be quite more different.
这篇关于如何在Spring中使用application.properties禁用CSRF?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!