Spring Security:按客户端类型启用/禁用CSRF(浏览器/非浏览器) [英] Spring Security: Enable/Disable CSRF by client type (browser / non-browser )
问题描述
Spring doc说
Spring doc says
当你使用CSRF保护?我们的建议是对普通用户可以由浏览器处理的任何请求使用CSRF保护。您只创建非浏览器客户端使用的服务,您可能希望禁用CSRF保护。
"When you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection."
如果我的服务将由浏览器和非浏览器客户端(如第三方外部服务)使用,那么Spring安全性是如何提供的是否为某些类型的客户端禁用csrf?
What if my service is going to be used by both "browser" and "non-browser" clients such as third party external services, does spring security provide a way to disable csrf exclusively for certain type of clients?
参考: http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html
推荐答案
我确信有一种方法可以在Spring Security XML中执行此操作,但因为我使用的是Java Config ,这是我的解决方案。
I am sure there is a way to do this in Spring Security XML, but since I am using Java Config, here is my solution.
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Configuration
@Order(1)
public static class SoapApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/soap/**")
.csrf().disable()
.httpBasic();
}
}
@Configuration
public static class WebApiConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginProcessingUrl("/authentication")
.usernameParameter("j_username")
.passwordParameter("j_password").permitAll()
.and()
.csrf().disable()
}
}
}
这篇关于Spring Security:按客户端类型启用/禁用CSRF(浏览器/非浏览器)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!