如何在Spring中使用application.properties禁用CSRF? [英] How to disable csrf in Spring using application.properties?

问题描述

存在以下属性:

security.enable-csrf=false

如果将属性添加到application.properties，则csrf保护仍然处于启用状态.

BUT csrf protection is still on if I add the property to application.properties.

起作用的是以编程方式禁用它.

What works is to disable it programatically.

但是我更喜欢属性配置.为什么它不起作用?

But I'd prefer properties configuration. Why could it not be working?

@Configuration
public class AuthConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.csrf().disable();

    }
}

推荐答案

由于WebSecurityConfigurerAdapter使用命令式方法，因此可以注入security.enable-csrf变量的值，并在CSRF为false时禁用它.您是对的，我认为这应该可以立即使用.

As the WebSecurityConfigurerAdapter uses an imperative approach you can inject the value of the security.enable-csrf variable and disable CSRF when it be false. You are right, I think this should work out of the box.

@Configuration
public class AuthConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;

    @Value("${security.enable-csrf}")
    private boolean csrfEnabled;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
       super.configure(http);

       if(!csrfEnabled)
       {
         http.csrf().disable();
       }
    }
}

我要做的是在我的 dev 弹簧配置文件处于活动状态时，在我的application.yml中将该变量设置为false，尽管您可以创建一个名为 nosecurity 的配置文件.出于这样的目的.大大简化了此过程:

What I did was to set that variable to false in my application.yml for when I had a dev spring profile active, although you could create a profile called nosecurity for such purposes too. It eases this process a lot:

--- application.yml ---

--- application.yml ---

# Production configuration
server:
  port: ${server.web.port}
admin.email: ${admin.email}
#etc
---
spring:
  profiles: dev

security.enable-csrf: false

#other Development configurations

我希望它能满足您的需求

I hope it suits your needs

基于 Spring Boot成员的评论此问题已在Spring的新版本中解决:我在版本1.5.2.RELEASE中拥有它，但似乎在版本

Based on a comment of a Spring Boot member this issue is fixed on new versions of Spring: I had it on version 1.5.2.RELEASE but it seems that in version 1.5.9.RELEASE (the latest stable one to the date before version 2) its already fixed and by default csrf is disabled and it can be enabled with security.enable_csrf: true. Therefore a possible solution could be just upgrading to version 1.5.9.RELEASE, before making a major one to version 2 where the architecture might be quite more different.

这篇关于如何在Spring中使用application.properties禁用CSRF?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！