在特定防火牆上禁用CSRF

Question

我有一個允許用戶通過2個不同通道訪問的應用程序。

• 正常，樹枝
• 問題的REST通過FOSRestBundle - example.com/api/*地址

我已經啓用了CSRF保護，因爲我想在第一種情況下使用它。

framework: 
    csrf_protection: true 

但是......我需要禁用CSRF保護，同時我要送請求/ API/*地址，因爲在這種情況下，我通過OAuth登錄。

我可以禁用特定防火牆的CSRF保護嗎？

我的防火牆：

firewalls: 
    oauth_token:         
     pattern: ^/api/oauth/v2/token 
     security: false 
    api: 
     pattern: ^/api/        
     fos_oauth: true        
     stateless: true        
     anonymous: false       
    main: 
     pattern: ^/ 
     form_login: 
      provider: chain_provider 
      csrf_provider: form.csrf_provider 
     logout:  true 
     anonymous: true 

雖然我送POST請求/ API /服務器返回錯誤：

The CSRF token is invalid. Please try to resubmit the form.

我需要禁用此保護api防火牆，並保持它main 。可能嗎？

Answer 1

可以用戶的基礎上處理這個問題：

http://symfony.com/doc/current/bundles/FOSRestBundle/2-the-view-layer.html#csrf-validation

When building a single application that should handle forms both via HTML forms as well as via a REST API, one runs into a problem with CSRF token validation. In most cases it is necessary to enable them for HTML forms, but it makes no sense to use them for a REST API. For this reason there is a form extension to disable CSRF validation for users with a specific role. This of course requires that REST API users authenticate themselves and get a special role assigned.

fos_rest: 
    disable_csrf_role: ROLE_API