如何禁用网站中特定页面的csrf保护? [英] How to disable csrf protection for particular pages in my website?

问题描述

使用CSRF保护，以便来自其他网站的任何请求都不会影响我的网站而造成伤害.在spring security csrf文档中说过，csrf适用于放置后补丁删除请求.

CSRF protection is used so that any requests made from other websites cannot affect my website to cause harm. It is said in the spring security csrf documentation that csrf is applied for put post patch delete requests.

但是，据我了解，登录/注册表单不需要csrf保护，因为它们已经需要用户名和密码形式的凭据，即使从其他网站发出这样的请求，也不会造成伤害.用户将刚刚登录.

But according to my understanding, login/signup forms do not need csrf protection, as they already require credentials in the form of username and password and even if such a request is made from another website, there will be no harm as the user will just get logged in.

但是由于登录通常是发布请求，因此默认情况下，spring默认会在此处自动应用csrf.这意味着我将需要将csrf令牌生成参数作为隐藏输入字段添加到表单中，如下所示:

But since login is usually a post request, csrf will automatically be applied here by spring default. Which means I will need to add the csrf token generation parameters as hidden input field to my form like so:

<form th:action="@{/login}" method="post">    
    <fieldset>
        <input type="hidden" 
             th:name="${_csrf.parameterName}" 
             th:value="${_csrf.token}" />
    </fieldset>
    ...
</form>

如果我不添加此内容，则会出现403禁止错误.但是，如果我像这样禁用此csrf，则:.

If I dont add this, 403 Forbidden error will come. But if I disable this csrf like so..:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable();
}

然后，所有页面都失去了网站中的csrf保护.我如何将csrf应用于某些页面，而不应用于其他页面，即使它们正在发出发布请求?

Then all the pages lose the csrf protection in the website. How can I apply csrf to certain pages and not to others, even though they are making post requests?

我正在使用Spring Boot + Spring Security +百里香

I am using Spring Boot + Spring Security + thymeleaf

推荐答案

您可以在 configure(HttpSecurity http)中使用 .csrf().ignoringAntMatchers("/login")

You may use .csrf().ignoringAntMatchers("/login") in configure(HttpSecurity http)

csrf().ignoringAntMatchers("String")

csrf().ignoringAntMatchers("String")

允许指定不使用CSRF保护的HttpServletRequest，即使它们与requireCsrfProtectionMatcher(RequestMatcher)相匹配.

Allows specifying HttpServletRequest that should not use CSRF Protectioneven if they match the requireCsrfProtectionMatcher(RequestMatcher).

例如，以下配置将确保CSRF保护忽略:

For example, the following configuration will ensure CSRF protection ignores:

• 任何GET，HEAD，TRACE，OPTIONS(这是默认设置)
• 我们还明确声明忽略任何以"/sockjs/"开头的请求

    http
          .csrf()
              .ignoringAntMatchers("/sockjs/**")
              .and()
          ...

---

.csrf().ignoringRequestMatchers(requestMatchers)

---

.csrf().ignoringRequestMatchers(requestMatchers)

允许指定不应使用CSRF的HttpServletRequests保护，即使它们与requireCsrfProtectionMatcher(RequestMatcher).

Allows specifying HttpServletRequests that should not use CSRF Protectioneven if they match the requireCsrfProtectionMatcher(RequestMatcher).

例如，以下配置将确保CSRF保护忽略:

For example, the following configuration will ensure CSRF protection ignores:

• 任何GET，HEAD，TRACE，OPTIONS(这是默认设置)
• 我们还明确声明忽略具有"X-Requested-With:XMLHttpRequest"标头的任何请求

http
     .csrf()
         .ignoringRequestMatchers(request -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
         .and()

这篇关于如何禁用网站中特定页面的csrf保护?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！