Spring Security:按客户端类型启用/禁用 CSRF(浏览器/非浏览器) [英] Spring Security: enable / disable CSRF by client type (browser / non-browser )

问题描述

Spring 安全文档 说:

Spring Security documentation says:

"什么时候使用CSRF保护?我们推荐使用CSRF保护可以由浏览器处理的任何请求普通用户.如果您只是创建一个由以下人员使用的服务非浏览器客户端，您可能希望禁用 CSRF 保护."

"When you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection."

如果我的服务将同时被浏览器"和非浏览器"客户端(例如第三方外部服务)使用，Spring Security 是否提供了专门为某些类型的客户端禁用 CSRF 的方法?

What if my service is going to be used by both "browser" and "non-browser" clients such as third party external services, does Spring Security provide a way to disable CSRF exclusively for certain type of clients?

推荐答案

我确信在 Spring Security XML 中有一种方法可以做到这一点，但由于我使用的是 Java Config，所以这是我的解决方案.

I am sure there is a way to do this in Spring Security XML, but since I am using Java Config, here is my solution.

 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {

    @Configuration
    @Order(1)
    public static class SoapApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http
                .antMatcher("/soap/**")
                .csrf().disable()
                .httpBasic();
        }
    }


    @Configuration
    public static class WebApiConfigurationAdapter extends WebSecurityConfigurerAdapter {

        protected void configure(HttpSecurity http) throws Exception {
            http        
                .formLogin()
                    .loginProcessingUrl("/authentication")
                    .usernameParameter("j_username")
                    .passwordParameter("j_password").permitAll()
                    .and()
                .csrf().disable()

        }
     }
}

这篇关于Spring Security:按客户端类型启用/禁用 CSRF(浏览器/非浏览器)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！