[英]Spring security bypass CSRF verification for specific URL's
我有一個基於Spring Security + MVC的項目。
該項目的Web方面已經由以前的開發人員開發。 我的任務是公開一些API,服務提供者將在這些API上進行回調。
為了對此進行存檔,我完成了以下代碼。
@RestController
public class LeegalityController {
private static final Logger logger = LoggerFactory.getLogger(LeegalityController.class);
@RequestMapping(value = "webhook/{user}/{id}", method = RequestMethod.POST)
public ResponseEntity<String> webhook(@PathVariable("user") int user, @PathVariable("id") String id,
@RequestBody LeegalityReqResp reqResp, HttpServletRequest request) {
try {
logger.info("webhook()== user[" + user + "] == id[" + id + "]");
logger.info("webhook()== LeegalityReqResp-->" + reqResp.toString());
} catch (Exception e) {
logger.error("webhook() Error==[" + e.getMessage() + "]", e);
}
return new ResponseEntity<String>("success", HttpStatus.OK);
}
}
但是,通過郵遞員測試API時,出現以下錯誤
我已嘗試對安全性配置xml進行如下更改,如下所示
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="*/webhook/**" security="none" create-session="stateless" />
<http auto-config="true">
<intercept-url pattern="/"
access="hasAnyRole('ROLE_ADMIN','ROLE_ONE','ROLE_TWO')" />
<!-- <intercept-url pattern="/webhook/**" method="POST" access="permitAll" /> -->
<intercept-url pattern="/admin"
access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/otp"
access="hasAnyRole('ROLE_ONE','ROLE_TWO')" />
<form-login login-page="/ProjectName-Home"
default-target-url="/" authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password" />
<logout logout-success-url="/login?logout" />
</http>
<authentication-manager
alias="authenticationManager">
<authentication-provider
ref="userAuthenticationProvider">
</authentication-provider>
</authentication-manager>
<beans:bean id="userAuthenticationProvider"
class="com.java.ProjectName.service.user.UserAuthenticationProvider"></beans:bean>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength"
value="11" />
</beans:bean>
</beans:beans>
我應該怎么做才能確保將此/webhook/*排除在CSRF驗證之外。 感謝您的任何幫助,並在此先感謝您。
我的春季版本是4.2.0.RELEASE,春季安全版本是4.0.2.RELEASE。
要從CSRF保護中排除特定的URL,可以使用<csrf request-matcher-ref="csrfMatcher"> 。 csrfMatcher是RequestMatcher ,它定義哪個URL請求將具有CSRF保護。
Google文檔提供了一個示例,該示例僅排除特定的URL,同時仍保持其他默認設置不變:
<http ...>
<csrf request-matcher-ref="csrfMatcher"/>
...
</http>
<beans:bean id="csrfMatcher" class="org.springframework.security.web.util.matcher.AndRequestMatcher">
<beans:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher">
<beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<beans:constructor-arg value="/webhook/**"/>
</beans:bean>
</beans:bean>
</beans:constructor-arg>
</beans:bean>
如何在 Spring Boot 項目中忽略特定 URL 的 Spring Security CSRF
[英]how to ignore spring security CSRF for specific URL's in spring boot project
在Spring Security中,如何繞過URL的GET方法; 而不是POST之一
[英]In Spring Security, how to bypass the GET method of an URL; but not the POST one
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.