堆栈内存溢出
  简体   繁体   English

在 spring 上启用的 csrf 云网关不会在响应 header 中添加 csrf 令牌

[英]csrf enabled on spring cloud gateway does not add the csrf token in the response header

 原文  2022-06-08 10:22:54       java/ angular/ spring/ spring-boot/ spring-cloud-gateway

问题描述

I have enabled CSRF in spring cloud gateway application.我在 spring 云网关应用程序中启用了 CSRF。 I have allowed a login api so that the first request to the application is processed and the response would have the CSRF token for my frontend (angular) to use it.我已经允许登录 api 以便处理对应用程序的第一个请求,并且响应将具有我的前端(角度)使用它的 CSRF 令牌。 But the responses does not have any csrf token.但是响应没有任何 csrf 令牌。

below is my configuration下面是我的配置

@Configuration
@EnableWebFluxSecurity
public class NettyConfiguration implements WebServerFactoryCustomizer<NettyReactiveWebServerFactory> {

@Value("${server.max-initial-line-length:65536}")
private int maxInitialLingLength;
@Value("${server.max-http-header-size:65536}")
private int maxHttpHeaderSize;

public void customize(NettyReactiveWebServerFactory container) {
    container.addServerCustomizers(
            httpServer -> httpServer.httpRequestDecoder(
                    httpRequestDecoderSpec -> {
                        httpRequestDecoderSpec.maxHeaderSize(maxHttpHeaderSize);
                        httpRequestDecoderSpec.maxInitialLineLength(maxInitialLingLength);
                        return httpRequestDecoderSpec;
                    }
            )
    );
}


@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
            // ...
            .csrf()
            .requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(pathMatchers("/i18n/*","/*","/assets/**","/service/webapi/login")))
            .and().csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()));
    return http.build();
}
}

I have disabled the CSRF for login.我已禁用 CSRF 进行登录。 Login in works, but the response does not have csrf token in the cookies. Due to this, my frontend is not able to get the token to make other requests.登录有效,但响应在 cookies 中没有 csrf 令牌。因此,我的前端无法获取令牌以发出其他请求。 Also does GET requests require the CSRF token? GET 请求也需要 CSRF 令牌吗? I get "an expected csrf token cannot be found" for GET requests as well.对于 GET 请求,我也收到“找不到预期的 csrf 令牌”。

1 个解决方案

解决方案1
 0  2022-06-09 09:38:05

Added the below code and its adding the token in response header.添加了以下代码并在响应 header 中添加了令牌。

@Bean
public WebFilter addCsrfTokenFilter() {
    return (exchange, next) -> Mono.just(exchange)
            .flatMap(ex -> ex.<Mono<CsrfToken>>getAttribute(CsrfToken.class.getName()))
            .doOnNext(ex -> {
            })
            .then(next.filter(exchange));
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Cloud Gateway 上启用的 CSRF 不允许登录 api POST 休息调用 - CSRF enabled on spring cloud gateway does not allow login api POST rest call spring如何使用_csrf参数或X-CSRF-TOKEN标头在内部验证csrf令牌? - How does the spring internally validate the csrf token with _csrf parameter or X-CSRF-TOKEN header? 春季启动-在请求参数&#39;_csrf&#39;或标头&#39;X-CSRF-TOKEN&#39;上发现无效的CSRF令牌&#39;null&#39; - Spring boot - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN' Spring Boot 不需要 CSRF 令牌 - Spring Boot does not require CSRF token Spring CSRF令牌生命 - Spring CSRF token life 将用于REST服务的CSRF令牌作为Http响应标头包含是否安全? - Is it safe to include a CSRF token for a REST service as a Http Response Header? Azure Spring 云中的 AD 身份验证导致“发现无效的 CSRF 令牌” - AD Authentication in Azure Spring Cloud causes 'Invalid CSRF token found' 405 方法不允许,spring 启动,但我使用 csrf 令牌 header - 405 Method Not Allowed, spring boot, but i used csrf token header 重命名Spring CSRF令牌变量 - Renaming Spring csrf token variable Spring Security未创建CSRF令牌 - Spring Security not creating CSRF token
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM