如何在Spring Security中启用POST，PUT和DELETE方法 [英] How to enable POST, PUT AND DELETE methods in spring security

问题描述

我用spring boot开发了一个应用程序，它运行良好.有一个宁静的控制器.我试图在某些页面上添加Spring Security.其余控制器的端点是

I developed an application with spring boot, which was working fine. There is a restful controller. I tried to add spring security to some of the pages. The rest controller's endpoint is

/api/greetings

我在下面的类中配置了安全设置.

I configured the security settings in the class below.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home","/api/greetings").permitAll()
                //.antMatchers("/api/greetings","").permitAll()//can't do this
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

现在，当我尝试从Rest-client(Postman)访问Rest终结点时，只有GET方法可访问，并且如果我尝试POST，PUT或DELETE，我将收到403 Forbidden响应.

Now, when I tried accessing the Rest endpoint, from a Rest-client(Postman), only the GET method is accessible and i am getting 403 Forbidden response if I try to POST, PUT or DELETE.

{
    "timestamp": 1467223888525,
    "status": 403,
    "error": "Forbidden",
    "message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.",
    "path": "/api/greetings/2"
}

我该如何解决此问题.我是Spring Security的新手.

How do i solve this issue. I am new to Spring Security things.

推荐答案

更新答案

如果您使用的是Spring Security 4，则可以轻松禁用特定路由

If you're using Spring security 4, you can disable specific routes easily

http.csrf().ignoringAntMatchers("/nocsrf","/ignore/startswith/**")

如果没有，则可以使用 requireCsrfProtectionMatcher

If not, you can enable/disable CSRF on specific routes using requireCsrfProtectionMatcher

http.csrf().requireCsrfProtectionMatcher(new RequestMatcher() {
    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
    private RegexRequestMatcher apiMatcher = new RegexRequestMatcher("/v[0-9]*/.*", null);

    @Override
    public boolean matches(HttpServletRequest request) {
        // No CSRF due to allowedMethod
        if(allowedMethods.matcher(request.getMethod()).matches())
            return false;

        // No CSRF due to api call
        if(apiMatcher.matches(request))
            return false;

        // CSRF for everything else that is not an API call or an allowedMethod
        return true;
    }
});

原始答案

您收到错误消息是因为Spring Security默认将CSRF处理设置为开".

You got an error because CSRF handling is 'on' by default with Spring Security.

您可以通过添加 http.csrf().disable(); 来禁用它.

You can disabled it by adding http.csrf().disable();.

但是，实际上，您会将应用程序置于不安全状态吗?我邀请您阅读

But really, would you leave your application unsecured? I invite you to read this article to protect your application against CSRF, even if your application is based on REST service and not form submission.

这篇关于如何在Spring Security中启用POST，PUT和DELETE方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！