stackoom
  简体   繁体   中英

Spring Security using CSRF token even though not specified and turned off

 原文  2020-07-08 12:33:02       java/ spring-boot/ spring-security/ csrf

Question

For my project I am trying to make a simple service which can do POST, GET and DELETE requests. I'm not interested in the extra security layer added by CSRF, so I want it turned off. I know that by default it should be off, but it does not seem to behave. Every time I make a post request, it gives me the following output:

/users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy        : /users/insert at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.security.web.FilterChainProxy        : /users/insert at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.security.web.FilterChainProxy        : /users/insert at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:8080/users/insert
o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6c3a524b
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

If I do a GET request it works just fine.

My pom.xml:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.3.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.webservices</groupId>
    <artifactId>restservice</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>restservice</name>
    <description>Rest webservice</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-hateoas</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <version>5.3.2.RELEASE</version>
            <scope>test</scope>
        </dependency>

         <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.data</groupId>
            <artifactId>spring-data-rest-hal-browser</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.data</groupId>
            <artifactId>spring-data-rest-hal-browser</artifactId>
        </dependency>

        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger2</artifactId>
            <version>2.9.2</version>
        </dependency>

        <dependency>
            <groupId>io.springfox</groupId>
            <artifactId>springfox-swagger-ui</artifactId>
            <version>2.9.2</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

In my application.properties I've tried security.enable.csrf=false , but it does not work.

3 answers

solution1
 1 ACCPTED  2020-07-09 16:42:21

CSRF stands for Cross-Site Request Forgery which is default enabled while using the Spring Security as follows, 

public CsrfConfigurer<HttpSecurity> csrf() throws Exception {
    ApplicationContext context = getContext();
    return getOrApply(new CsrfConfigurer<>(context));
}

Completly Disable

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().disable()...
}

Partially Enabled

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().ignoringAntMatchers("csrf-disabled-endpoints")...
}

Include CSRF

@Override
public void configure(HttpSecurity http) throws Exception {

    http
        .csrf().ignoringAntMatchers("csrf-disabled-endpoints")
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
}

You may like to explore more details here What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?

solution2
 0  2020-07-08 13:10:57

CSRF protection is enabled by default. There is no way to disable the csrf feature by configuring in application.properties by default. As Patel points out, this must be done by disabling csrf on your HttpSecurity configuration.

See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf-configure-disable on how to do this using either XML or Java configuration.

You may create your own application.properties entry by using an @Value within your java configuration. eg @Value("${security.enable.csrf}") private boolean csrfEnabled;

solution3
 0  2020-07-09 09:28:03

The answer from Patel Romil fixed my problem! 

Have you added the csrf.disable() in configure(HttpSecurity http) method?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security not creating CSRF token How to obtain csrf token in a velocity macro when using spring security 403 CSRF token error using Vaadin with Spring Security Spring Security 4 JTwig put CSRF token in forms Spring Security CSRF: How to retrieve token in Java Different csrf token per request in Spring security Spring Security CSRF Token not working with AJAX Expected CSRF token not found Spring Security Spring Security denies logout CSRF token Spring security csrf disabled, still get an Invalid CSRF token found
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM