选择性使用Spring Security的CSRF过滤器 [英] Selective usage of Spring Security's CSRF filter
问题描述
免责声明:我的问题有点类似于这个问题和这个问题,但我已经尝试了这些主题中建议的所有答案,并且已经花费了几天时间来解决这个问题。
Disclaimer: My question is somewhat similar to this question and this question, but I have tried all the answers suggested in those threads and already spent few days struggling with the problem.
我在现有的应用程序(JSP,Servlet)中引入了Spring Security 3.2.6,我使用的是Java配置。我的应用程序将被浏览器和非浏览器客户端使用。我希望所有对URL的浏览器请求(即 / webpages / webVersion /
和 / webpages / webVersion2 /
)为启用CSRF并禁用所有其他CSRF请求。非浏览器客户端从不访问上述两个URL,而浏览器应用程序也可以访问CSRF禁用的URL。
I am introducing Spring Security 3.2.6 in my existing application (JSP, Servlet only) and I am using Java configuration. My application will be used both by browsers and non-browser clients. I want all the browser requests to URLs (i.e. /webpages/webVersion/
and /webpages/webVersion2/
) to be CSRF enabled and all the other requests to be CSRF disabled. Non-browser clients never access above two URLs, whereas the browser application may also access CSRF disabled URLs.
我尝试了多种选项:
-
仅在上述网址上启用Spring Security:
Enable Spring Security only on the aformentioned URLs:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/","/resources/****").permitAll()
.antMatchers("/webpages/webVersion/****", "/webpages/webVersion2/****").authenticated()
.antMatchers("/webpages/****").permitAll()
.anyRequest().anonymous()
.and()
.formLogin().loginPage("/webpages/webVersion/login/newLogin.jsp").failureUrl("/webpages/webVersion/login/newLogin.jsp?error=true").loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username").passwordParameter("password").defaultSuccessUrl("/webpages/webVersion/login/loginSuccess.jsp", true).permitAll()
.and()
.logout().logoutUrl("/webpages/webVersion/logout.jsp").permitAll()
.and().exceptionHandling().accessDeniedPage("/webpages/webVersion/404-error-page.jsp")
.and()
.csrf();
}
这不起作用,因为我观察到所有的CSR都启用了网址。
This didn't work as I observe that CSRF is enabled for all of the URLs.
尝试使用 CSRFProtectionMatcher
:
.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher);
CSRF仅针对预期的网址启用,但即使是 / resources / **
和 / webpages / **
需要在匹配功能中检查网址。似乎有点多考虑它将适用于所有请求。
CSRF is enabled for intended URLs only, but even /resources/**
and /webpages/**
URLs need to be checked inside matches function. Seems to be a bit much considering it will be for all requests.
尝试使用另一个版本的 configure
方法:
Tried using another version of the configure
method:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().regexMatchers(".*?/jsp/(?!webVersion|webVersion2).*?");
}
我不确定我是否做得正确但是这并没有产生结果我想要。
I am not sure whether I did it correctly but this didn't produce the results I wanted.
以上哪种方法是正确的(Spring Security)做我想要的方式?如何从Spring Security配置中实现所需的行为?
Which of the above approach is the correct (Spring Security) way of doing what I want? How can I achieve the desired behavior from my Spring Security configuration?
推荐答案
事实证明他们的配置出现了一些错误最后我使用方法3实现了目标。我使用了以下版本的configure函数以及通常的 configure(HttpSecurity http)
函数..
It turned out that their was some error with my configuration and finally I achieved the objective using approach 3.. I used below version of the configure function along with the usual configure(HttpSecurity http)
function..
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().regexMatchers(".*?/jsp/(?!webVersion|webVersion2).*?");
}
这篇关于选择性使用Spring Security的CSRF过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!