Spring 使用 CSRF 令牌的安全性,即使未指定并关闭
[英]Spring Security using CSRF token even though not specified and turned off
问题描述
For my project I am trying to make a simple service which can do POST, GET and DELETE requests.
对于我的项目,我正在尝试制作一个可以执行 POST、GET 和 DELETE 请求的简单服务。 I'm not interested in the extra security layer added by CSRF, so I want it turned off.我对 CSRF 添加的额外安全层不感兴趣,所以我希望它关闭。 I know that by default it should be off, but it does not seem to behave.我知道默认情况下它应该关闭,但它似乎没有表现。 Every time I make a post request, it gives me the following output:每次我发出一个帖子请求时,它都会给我以下 output:
/users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.security.web.FilterChainProxy : /users/insert at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/users/insert
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6c3a524b
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
If I do a GET request it works just fine.如果我做一个 GET 请求,它工作得很好。
My pom.xml:我的 pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.webservices</groupId>
<artifactId>restservice</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>restservice</name>
<description>Rest webservice</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-hateoas</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>5.3.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
In my application.properties I've tried security.enable.csrf=false , but it does not work.在我的 application.properties 中,我尝试了security.enable.csrf=false ,但它不起作用。
3 个解决方案
解决方案1
1 已采纳 2020-07-09 16:42:21
CSRF stands for Cross-Site Request Forgery which is default enabled while using the Spring Security as follows, CSRF代表跨站点请求伪造,在使用 Spring 安全性时默认启用,如下所示,
public CsrfConfigurer<HttpSecurity> csrf() throws Exception {
ApplicationContext context = getContext();
return getOrApply(new CsrfConfigurer<>(context));
}
Completly Disable完全禁用
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()...
}
Partially Enabled部分启用
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")...
}
Include CSRF包括 CSRF
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
}
You may like to explore more details here What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?您可能想在这里探索更多细节Cookie CsrfTokenRepository.withHttpOnlyFalse () 有什么作用以及何时使用它?
解决方案2
0 2020-07-08 13:10:57
CSRF protection is enabled by default.默认情况下启用 CSRF 保护。 There is no way to disable the csrf feature by configuring in application.properties by default.默认情况下,无法通过在 application.properties 中配置来禁用 csrf 功能。 As Patel points out, this must be done by disabling csrf on your HttpSecurity configuration.正如 Patel 指出的那样,这必须通过在 HttpSecurity 配置上禁用 csrf 来完成。
See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf-configure-disable on how to do this using either XML or Java configuration. See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf-configure-disable on how to do this using either XML or Java configuration.
You may create your own application.properties entry by using an @Value within your java configuration.您可以在 java 配置中使用 @Value 创建自己的 application.properties 条目。 eg @Value("${security.enable.csrf}") private boolean csrfEnabled;例如@Value("${security.enable.csrf}") private boolean csrfEnabled;
解决方案3
0 2020-07-09 09:28:03
The answer from Patel Romil fixed my problem! Patel Romil 的回答解决了我的问题!
Have you added the csrf.disable() in configure(HttpSecurity http) method?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.