[英]Disable CSRF on specific firewall
I have application which allows user access by 2 different channels. 我有允许用户通过2个不同渠道访问的应用程序。
I have enabled CSRF protection, because I want to use it in first case. 我启用了CSRF保护,因为我想在第一种情况下使用它。
framework:
csrf_protection: true
But... I need to disable CSRF protection while I'm sending request to /api/* addresses, because in this case I'm logging with OAuth. 但是...在向/ api / *地址发送请求时,我需要禁用CSRF保护,因为在这种情况下,我正在使用OAuth进行记录。
Can I disable CSRF protection for specific firewall? 我可以禁用特定防火墙的CSRF保护吗?
My firewalls: 我的防火墙:
firewalls:
oauth_token:
pattern: ^/api/oauth/v2/token
security: false
api:
pattern: ^/api/
fos_oauth: true
stateless: true
anonymous: false
main:
pattern: ^/
form_login:
provider: chain_provider
csrf_provider: form.csrf_provider
logout: true
anonymous: true
While I'm sending POST requests to /api/ server returns error: 当我向/ api /服务器发送POST请求时,返回错误:
The CSRF token is invalid.
CSRF令牌无效。 Please try to resubmit the form.
请尝试重新提交表格。
I need to disable this protection for api
firewall and keep it for main
. 我需要为
api
防火墙禁用此保护,并将其保留为main
。 Is it possible? 可能吗?
You can handle this on user basis: 您可以根据用户进行处理:
http://symfony.com/doc/current/bundles/FOSRestBundle/2-the-view-layer.html#csrf-validation http://symfony.com/doc/current/bundles/FOSRestBundle/2-the-view-layer.html#csrf-validation
When building a single application that should handle forms both via HTML forms as well as via a REST API, one runs into a problem with CSRF token validation.
在构建应通过HTML表单以及REST API处理表单的单个应用程序时,CSRF令牌验证会遇到问题。 In most cases it is necessary to enable them for HTML forms, but it makes no sense to use them for a REST API.
在大多数情况下,有必要为HTML表单启用它们,但是将它们用于REST API没有任何意义。 For this reason there is a form extension to disable CSRF validation for users with a specific role.
因此,存在一个扩展形式,用于禁用具有特定角色的用户的CSRF验证。 This of course requires that REST API users authenticate themselves and get a special role assigned.
当然,这需要REST API用户进行身份验证并分配特殊角色。
fos_rest: disable_csrf_role: ROLE_API
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.