我使用Spring Security 3.2.7和spring boot 1.2.3。我正在构建Rest应用程序并使用java配置实现spring安全性,其中默认情况下CSRF处于打开状态,我知道我可以使用“http.csrf()。disable()”在我的重写配置方法中禁用它。但是假设我不想禁用它,但我需要CSRF令牌。当我点击网址
localhost:8080/myproject/url
使用POST请求
{
"timestamp": 1431682924618,
"status": 403,
"error": "Forbidden",
"message": "Expected CSRF token not found. Has your session expired?",
"path": "/myproject/user"
}
那么如何在不禁用csrf的情况下以相同的结果点击同一个网址。
我的SecurityConfig文件是:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
@Autowired
private DataSource dataSource;
@Autowired
private CustomUserDetailsService customUserDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// In memory authentication
/*auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");*/
auth.userDetailsService(customUserDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// http.csrf().disable() //Disable csrf security
http
.authorizeRequests()
.antMatchers("/myproject/user/signup").permitAll()
.antMatchers("/myproject/**").hasRole("ADMIN")
.and().httpBasic();
}
}