如何在 Play Framework 2 (Java) 中有选择地禁用 CSRF 检查 [英] How to selectively disable CSRF check in Play Framework 2 (Java)

问题描述

在 Play Framework 中，我们可以应用全局 CSRF 检查

In Play Framework we can apply global CSRF check

@SuppressWarnings({ "rawtypes", "unchecked" })
@Override
public <T extends EssentialFilter> Class<T>[] filters() {
    Class[] filters = { CSRFFilter.class };

    return filters;
}

在大多数情况下这很好.但我想设置指向我们网站的 Facebook Canvas 页面.事情是 Facebook 向我们的网站发送 POST 请求，它被 CSRF 检查阻止.它总是返回无效的CSRF令牌"

Which is fine in most of the cases. But I want to setup Facebook Canvas page which points to our website. The thing is Facebook sends POST request to our site and it is prevented by the CSRF check. It always return "Invalid CSRF Token"

所以我想在某些操作中选择性地禁用 CSRF 检查，例如 www.ourwebsite.com/canvas

So I want to selectively disable CSRF check in some actions say www.ourwebsite.com/canvas

这可行吗?

推荐答案

我创建了一篇关于如何执行此操作的博客文章，请参阅此处:

I created a blog post on how to do this, see here:

http://dominikdorn.com/2014/07/playframework-2-3-global-csrf-protection-disable-csrf-selectively/

2017-更新:从 PlayFramework 2.6 开始，它现在包含在框架本身中:https://www.playframework.com/documentation/2.6.x/JavaCsrf#applying-a-global-csrf-filter

2017-Update: Starting with PlayFramework 2.6, this is now included in the Framework itself: https://www.playframework.com/documentation/2.6.x/JavaCsrf#applying-a-global-csrf-filter

这篇关于如何在 Play Framework 2 (Java) 中有选择地禁用 CSRF 检查的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！