[英]Disable CSRF / CORS in Spring Boot: Spring security 5.7 and SAML
I am using a Spring Boot application with the latest stable versions of Spring Boot and Sprign Security.我正在使用 Spring Boot 应用程序和最新稳定版本的 Spring Boot 和 Sprign Security。 I am doing authentication with an ADFS IDP using SAML2.
我正在使用 SAML2 对 ADFS IDP 进行身份验证。 That works fine for all GET requests.
这适用于所有 GET 请求。 Now I need to use PUT and POST and therfore I'd like to disable csrf.
现在我需要使用 PUT 和 POST,因此我想禁用 csrf。
With this pease of code I tried to disable csrf:有了这段代码,我尝试禁用 csrf:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().and().cors().disable();
}
}
But when doing this the complete SAML Authentication gets lost and no Single-Sign-On and so on is performed.但是这样做时,完整的 SAML 身份验证会丢失,并且不会执行单点登录等。 I am using SAML2 by configuration:
我通过配置使用 SAML2:
spring:
security:
saml2:
relyingparty:
registration:
DemoApp:
entity-id: urn:id:demo-app
identityprovider:
entity-id: "http://adfs.local/adfs/services/trust"
metadata-uri: "https://adfs.local/FederationMetadata/2007-06/FederationMetadata.xml"
singlesignon:
url: "https://adfs.local/adfs/ls"
sign-request: true
How do I disable csrf and keep the SAML2 things working?如何禁用 csrf 并保持 SAML2 工作正常?
WebSecurityConfigurerAdapter is deprecated. WebSecurityConfigurerAdapter 已弃用。 Use a SecurityFilterChain Bean to configure HttpSecurity or a WebSecurityCustomizer Bean to configure WebSecurity.
使用 SecurityFilterChain Bean 来配置 HttpSecurity 或使用 WebSecurityCustomizer Bean 来配置 WebSecurity。 Try this
尝试这个
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.csrf().disable()
.cors().disable();
return http.build();
}
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable());
return http.build();
}
}
For more details follow the link below更多详情请点击以下链接
https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf-configure-disable https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#servlet-csrf-configure-disable
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.