Spring Security,无状态REST服务和CSRF [英] Spring Security, Stateless REST service and CSRF
问题描述
我有一个REST服务,它使用Java,Spring-boot和带有基本访问身份验证的Spring Security构建。没有视图,没有JSP等,没有登录,只有可以从单独托管的React应用调用的无状态服务。
I have a REST service, built using Java, Spring-boot and using Spring Security with Basic Access Authentication. There are no Views, no JSP etc, no 'login', just stateless services which can be called from a React app hosted separately.
我读过各种有关CSRF保护的文档,但是无法决定我应该使用spring-security CSRF配置还是仅禁用它?如果禁用csrf保护,则可以使用基本身份验证使用curl调用服务,如下所示:
I've read a variety of documentation about CSRF protection, but can't decide whether I should be using spring-security CSRF config, or just disabling it? If I disable the csrf protection I can call the service with curl using my basic auth like this:
curl -H "authorization:Basic c35sdfsdfjpzYzB0dDFzaHA=" -H "content-type:application/json" -d '{"username":"user","password":"password","roles":"USER"}' localhost:8081/api/v1/user
如果我启用了csrf保护并提供了 x-csrf -token 标头,然后春季CsrfFilter尝试对照 HttpServletRequest 中的会话cookie(我认为)中的值进行交叉检查。但是,由于它是无状态的REST服务,所以我没有会话,也没有登录。
If I enable the csrf protection and provide a x-csrf-token header, then the spring CsrfFilter attempts to cross check this against a value from (I think) a session cookie in the HttpServletRequest. However since its a stateless REST service I don't have a session, and haven't 'logged in'.
我有一个配置类,如下所示:
I have a config class which looks like this:
@EnableWebSecurity
@Configuration
public class ServiceSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and().httpBasic();
if (!serviceProperties.isCsrfEnabled()) {
http.csrf().disable();
}
}
我思考的越多,看起来就越多我将只需要禁用CSRF保护。
The more I think about it, the more it seems that I will just need to disable CSRF protection. Is there another way to configure spring security so it will work?
谢谢
推荐答案
要回答您的第一个问题,在您描述的上下文中,您不需要CSRF保护。 CSRF保护的背景是确保不会诱骗用户执行某些不必要的操作。
To answer your first question, in the context that you describe, you do not need CSRF protection. The background of CSRF protection is to ensure that the user is not tricked into doing some unwanted action.
例如,从纯理论上讲,您可以登录到银行的网站(从而建立了会话),然后访问了一些黑幕网站。该网站可能具有向银行的API发出POST请求的表单。因为那里有一个会话,所以如果端点不受CSRF保护,则该请求可能会通过。
For example, in pure theory, you could have logged into a bank's website (and thus established a session) and then went to some shady website. This site could have a form making a POST request to the bank's APIs. Because you have a session there, if the endpoint is not CSRF protected, then the request may go through.
因此,CSRF大部分是针对浏览器+会话的保护基于攻击。如果您使用例如公开纯REST API OAuth保护,那么我看不到CSRF的任何原因。
As such, CSRF mostly acts as a protection against browser + session based attacks. If you expose a pure REST API with e.g. OAuth protection, then I don't see any reason for CSRF.
当您使用Spring Boot时,也可以使用应用程序禁用CSRF。属性 / application.yaml 配置文件。
As you use spring boot, you could also disable CSRF using the application.properties / application.yaml configuration file.
security.enable-csrf=false
您可以签出通用应用程序属性文档页面,以了解更多-box配置选项。
You can check out the Common Application Properties documentation page for more out-of-the-box configuration options.
这篇关于Spring Security,无状态REST服务和CSRF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
