堆栈内存溢出
  简体   繁体   English

在 Spring 引导中禁用 CSRF / CORS 启动:Spring 安全 5.7 和 SAML

[英]Disable CSRF / CORS in Spring Boot: Spring security 5.7 and SAML

 原文  2022-07-25 09:38:01       spring/ spring-boot/ spring-security

问题描述

I am using a Spring Boot application with the latest stable versions of Spring Boot and Sprign Security.我正在使用 Spring Boot 应用程序和最新稳定版本的 Spring Boot 和 Sprign Security。 I am doing authentication with an ADFS IDP using SAML2.我正在使用 SAML2 对 ADFS IDP 进行身份验证。 That works fine for all GET requests.这适用于所有 GET 请求。 Now I need to use PUT and POST and therfore I'd like to disable csrf.现在我需要使用 PUT 和 POST,因此我想禁用 csrf。

With this pease of code I tried to disable csrf:有了这段代码,我尝试禁用 csrf:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().and().cors().disable();
    }

}

But when doing this the complete SAML Authentication gets lost and no Single-Sign-On and so on is performed.但是这样做时,完整的 SAML 身份验证会丢失,并且不会执行单点登录等。 I am using SAML2 by configuration:我通过配置使用 SAML2:

spring:
  security:
    saml2:
      relyingparty:
        registration:
          DemoApp: 
            entity-id: urn:id:demo-app
            identityprovider:
              entity-id: "http://adfs.local/adfs/services/trust"
              metadata-uri: "https://adfs.local/FederationMetadata/2007-06/FederationMetadata.xml"     
              singlesignon:
                url: "https://adfs.local/adfs/ls"
                sign-request: true

How do I disable csrf and keep the SAML2 things working?如何禁用 csrf 并保持 SAML2 工作正常?

2 个解决方案

解决方案1
 0  2022-07-25 10:51:28

WebSecurityConfigurerAdapter is deprecated. WebSecurityConfigurerAdapter 已弃用。 Use a SecurityFilterChain Bean to configure HttpSecurity or a WebSecurityCustomizer Bean to configure WebSecurity.使用 SecurityFilterChain Bean 来配置 HttpSecurity 或使用 WebSecurityCustomizer Bean 来配置 WebSecurity。 Try this尝试这个

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
            .csrf().disable()
            .cors().disable();      
    return http.build();
}

解决方案2
 0  2022-08-28 17:35:13

The Java configuration below will disable CSRF protection in Spring security 5.7下面的 Java 配置将禁用 Spring 安全 5.7 中的 CSRF 保护

@Configuration
@EnableWebSecurity
public class WebSecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .csrf(csrf -> csrf.disable());
        return http.build();
    }
}

For more details follow the link below更多详情请点击以下链接

https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf-configure-disable https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf-configure-disable

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Boot在本地环境中禁用SAML安全 - Spring boot disable SAML security in Local environment 无法在Spring Boot中禁用CSRF安全性 - Cannot disable CSRF security in Spring Boot Spring Boot 安全无法禁用 CSRF 保护 - Spring Boot security can not disable CSRF protection Spring Boot 安全 CORS - Spring Boot Security CORS Spring Boot 和安全性 - cors - Spring boot & security - cors 如何在 Spring 引导中禁用 Spring 安全性中的 CORS? - How to disable CORS in Spring Security within Spring Boot? Spring Boot Security和Auth0-无法禁用CSRF - Spring Boot Security and Auth0 - Cannot disable CSRF Spring Security CSRF禁用问题 - spring security csrf disable issue 无法禁用csrf Spring启动 - Cannot disable csrf Spring boot 在 Spring Boot 和 Angular 之间处理 CORS 和 CSRF - Handling CORS and CSRF between Spring Boot and Angular
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM