[英]csrf enabled on spring cloud gateway does not add the csrf token in the response header
I have enabled CSRF in spring cloud gateway application.我在 spring 云网关应用程序中启用了 CSRF。 I have allowed a login api so that the first request to the application is processed and the response would have the CSRF token for my frontend (angular) to use it.
我已经允许登录 api 以便处理对应用程序的第一个请求,并且响应将具有我的前端(角度)使用它的 CSRF 令牌。 But the responses does not have any csrf token.
但是响应没有任何 csrf 令牌。
below is my configuration下面是我的配置
@Configuration
@EnableWebFluxSecurity
public class NettyConfiguration implements WebServerFactoryCustomizer<NettyReactiveWebServerFactory> {
@Value("${server.max-initial-line-length:65536}")
private int maxInitialLingLength;
@Value("${server.max-http-header-size:65536}")
private int maxHttpHeaderSize;
public void customize(NettyReactiveWebServerFactory container) {
container.addServerCustomizers(
httpServer -> httpServer.httpRequestDecoder(
httpRequestDecoderSpec -> {
httpRequestDecoderSpec.maxHeaderSize(maxHttpHeaderSize);
httpRequestDecoderSpec.maxInitialLineLength(maxInitialLingLength);
return httpRequestDecoderSpec;
}
)
);
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
// ...
.csrf()
.requireCsrfProtectionMatcher(new NegatedServerWebExchangeMatcher(pathMatchers("/i18n/*","/*","/assets/**","/service/webapi/login")))
.and().csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()));
return http.build();
}
}
I have disabled the CSRF for login.我已禁用 CSRF 进行登录。 Login in works, but the response does not have csrf token in the cookies. Due to this, my frontend is not able to get the token to make other requests.
登录有效,但响应在 cookies 中没有 csrf 令牌。因此,我的前端无法获取令牌以发出其他请求。 Also does GET requests require the CSRF token?
GET 请求也需要 CSRF 令牌吗? I get "an expected csrf token cannot be found" for GET requests as well.
对于 GET 请求,我也收到“找不到预期的 csrf 令牌”。
Added the below code and its adding the token in response header.添加了以下代码并在响应 header 中添加了令牌。
@Bean
public WebFilter addCsrfTokenFilter() {
return (exchange, next) -> Mono.just(exchange)
.flatMap(ex -> ex.<Mono<CsrfToken>>getAttribute(CsrfToken.class.getName()))
.doOnNext(ex -> {
})
.then(next.filter(exchange));
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.