Spring 安全性 - 使用 REST 方法的 CSRF
[英]Spring security - CSRF with REST methods
问题描述
I have a rest api where I have exposed get, post, put and delete methods.
我有一个 rest api,我在其中公开了获取、发布、放置和删除方法。 I am using spring security and implementing basic authentication.我正在使用 spring 安全性并实施基本身份验证。 I am allowing the GET request to be made by a user with the role USER whereas the other requests can only be made by a user with role ADMIN.我允许具有USER角色的用户发出 GET 请求,而其他请求只能由具有 ADMIN 角色的用户发出。 I see that if I don't add the crsf().disable() line only the GET method works correctly, whereas I get a 403 Forbidden for other methods.我看到,如果我不添加crsf().disable()行,则只有 GET 方法可以正常工作,而其他方法则得到 403 Forbidden。 However when I add csrf().disable() all the methods work fine.但是,当我添加csrf().disable()时,所有方法都可以正常工作。 Is this expected or am I doing something wrong?这是预期的还是我做错了什么?
1 个解决方案
解决方案1
1 2020-05-20 04:39:39
When csrf is enabled, springboot expects you to send the csrf token with every request that is made to the endpoint.启用csrf ,springboot 期望您在向端点发出的每个请求中发送 csrf 令牌。 If that is not included then the request is denied and you get the 403 response code.如果不包括在内,则请求被拒绝,您将获得 403 响应代码。 It is like an HTTP session.它就像一个 HTTP session。 But rest endpoints are stateless so it's better not to use csrf with it.但是 rest 端点是无状态的,所以最好不要使用csrf 。 Rest endpoints are essentially immune to csrf attacks as they are stateless.Read doc . Rest 端点基本上不受 csrf 攻击,因为它们是无状态的。阅读文档。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.