0
我已經在我的項目中將jsp和freemarker應用了CSRF,它運行良好。CSRF在REST POST方法上無效
下面是在彈簧security.xml文件
<http xmlns="http://www.springframework.org/schema/security"
access-denied-page="/accessdenied" auto-config="true" use-expressions="true"
create-session="ifRequired">
<intercept-url pattern="/register" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<form-login login-page="/login"
authentication-failure-handler-ref="customAuthenticationFailureHandler"
authentication-success-handler-ref="mySimpleUrlAuthenticationSuccessHandler" />
<logout logout-success-url="/login?logout=true" delete-cookies="JSESSIONID"
invalidate-session="true" />
<csrf/>
</http>
下面指定的Web網址的代碼彈簧security.xml文件中對REST API.I也試過廣告CSRF標記在REST HTTP代碼標籤,但它不工作。
<http pattern="/api/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/addpatient" access="ROLE_ADMIN"
method="POST" />
<intercept-url pattern="/api/addpatient/image/{p_id}"
access="ROLE_ADMIN" method="POST" />
<intercept-url pattern="/api/patients" access="ROLE_ADMIN"
method="GET" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- <csrf /> -->
<!-- <http-basic/> <form-login login-processing-url="/api" authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler" /> -->
</http>
在REST和網址的所有POST方法都正常工作,我已經apllied安全或添加到安全文件。但是我想要一個REST URL來註冊新用戶而不應用任何安全措施。
當我從郵遞員發送數據,我得到了以下控制檯例外:
"10:09:48,749 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
10:09:48,749 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
10:10:10,723 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/adduser'; against '/oauth/token'
10:10:10,726 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/adduser'; against '/api/**'
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 1 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:10:10,726 DEBUG HttpSessionSecurityContextRepository:136 - No HttpSession currently exists
10:10:10,726 DEBUG HttpSessionSecurityContextRepository:90 - No SecurityContext was available from the HttpSession: null. A new one will be created.
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 2 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 3 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
10:10:10,727 DEBUG CsrfFilter:95 - Invalid CSRF token found for http://localhost:1522/si-server/adduser
enter into denied page
10:10:10,731 DEBUG cache:83 - Could not find template in cache, creating new one; id=["denied.ftl"["en_US",Cp1252,parsed] ]
10:10:10,791 DEBUG HttpSessionSecurityContextRepository:300 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
10:10:10,792 DEBUG HttpSessionSecurityContextRepository:300 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
10:10:10,797 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed"
附: 只有沒有安全性的REST不起作用,與我在做同樣的事情的web網址形成對比。
謝謝。我嘗試添加「ROLE_ANONYMOUS」以及security =「none」和filters =「none」。但它仍然不起作用。 – Aryan