是否有必要保护JAX-RS请求免受CSRF的侵害? [英] Is it necessary to protect JAX-RS requests against CSRF?
问题描述
是否有必要针对 CSRF 保护JAX-RS请求?
Is it necessary to protect JAX-RS requests against CSRF?
通过定义 REST是无状态的,因此不存在会话ID(会话Cookie) ,因为根本没有会话(另请参见 https://stackoverflow.com/a/15746639/5277820 ).
By definition REST is stateless and therefore exists no session id (session cookie), because there is no session at all (see also https://stackoverflow.com/a/15746639/5277820).
我的Spring Security Java配置:
My Spring Security Java Configuration:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Configuration
@Order(1)
public static class JaxRsWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.antMatcher("/services/**")
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.OPTIONS, "/services/**").permitAll()
.anyRequest().hasAuthority("ROLE_user")
.and()
.httpBasic()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
}
}
But I found for example following blog: Stateless Spring Security Part 1: Stateless CSRF protection. Unfortunately the blog does not explain, why one needs CSRF protection.
还有其他没有会话cookie的CSRF攻击吗?
Is there any other CSRF attack without session cookie?
推荐答案
CSRF攻击不需要存在会话. CSRF攻击包括通过诱使用户单击链接或提交可进入用户登录的应用程序的表单来代表用户做某事.
CSRF attacks don't need a session to exist. A CSRF attack consists in doing something on a user's behalf by tricking him/her into clicking a link or submitting a form that goes to an application where the user is logged in.
使用基本身份验证还是使用会话cookie来标识用户无关紧要.
Whether basic authentication or a session cookie is used to identify the user is irrelevant.
请注意,使用Cookie并不意味着该应用程序不是无状态的.与基本身份验证一样,Cookie只需在每个HTTP请求中发送一个附加的标头即可.
Note that using a cookie doesn't mean that the app is not stateless. A cookie, just like basic authentication, simply consists in sending an additional header with each HTTP request.
这篇关于是否有必要保护JAX-RS请求免受CSRF的侵害?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!