仅使用Spring Security CSRF功能 [英] Using just Spring Security CSRF feature

问题描述

我只想使用Spring Security的CSRF功能，而没有其他任何身份验证/授权功能，因为这些功能是由第三方提供商为我提供的。如果可以做到，我该如何告诉Spring不要寻找任何带有其依赖bean的身份验证管理器，而只是拦截所有URL，并添加csrf令牌。

I'd like to use just the Spring Security's CSRF feature without any of the other authentication/authorization features since those features are provided by a third party provider for me. If this can be done, how do I tell Spring not to look out for any authentication manager with its dependent beans and just intercept all URLs, and add the csrf token.

推荐答案

我通过进行以下更改/添加使CSRF功能正常运行。另外，我在jsp中使用了< form：form> 标记来利用Spring令牌的自动插入。

I got the CSRF feature working by making the following changes/additions. Also, I used the <form:form> tag in my jsp to leverage the automatic insertion of the token by Spring.

个罐子：

spring-security-acl-4.0.0.RC1.jar
spring-security-config-4.0.0.RC1.jar
spring-security-core-4.0.0.RC1.jar
spring-security-taglibs-4.0.0.RC1.jar
spring-security-web-4.0.0.RC1.jar

web.xml添加项：

web.xml additions:

<filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

添加了新的Java文件：

New java file added:

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class TgtWebSecurityConfigureAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().permitAll();
    }
}

Marco-仅使用CSRF过滤器，工作。

Marco - With just the CSRF filter, it does not work.

这篇关于仅使用Spring Security CSRF功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！