在 Spring-Security with Java Config 中,为什么 httpBasic POST 需要 csrf 令牌? [英] In Spring-Security with Java Config, why does httpBasic POST want csrf token?
本文介绍了在 Spring-Security with Java Config 中,为什么 httpBasic POST 需要 csrf 令牌?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我在 Java 配置中使用 Spring-Security 3.2.0.RC2.我设置了一个简单的 HttpSecurity 配置,要求在/v1/** 上进行基本身份验证.GET 请求有效但 POST 请求失败:
I am using Spring-Security 3.2.0.RC2 with Java config. I set up a simple HttpSecurity config that asks for basic auth on /v1/**. GET requests work but POST requests fail with:
HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
我的安全配置如下所示:
My security config looks like this:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Resource
private MyUserDetailsService userDetailsService;
@Autowired
//public void configureGlobal(AuthenticationManagerBuilder auth)
public void configure(AuthenticationManagerBuilder auth)
throws Exception {
StandardPasswordEncoder encoder = new StandardPasswordEncoder();
auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}
@Configuration
@Order(1)
public static class RestSecurityConfig
extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/v1/**").authorizeRequests()
.antMatchers("/v1/**").authenticated()
.and().httpBasic();
}
}
}
非常感谢您对此的任何帮助.
Any help on this greatly appreciated.
推荐答案
CSRF 保护已启用默认使用 Java 配置.要禁用它:
CSRF protection is enabled by default with Java configuration. To disable it:
@Configuration
public class RestSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
...;
}
}
这篇关于在 Spring-Security with Java Config 中,为什么 httpBasic POST 需要 csrf 令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文