我已经在我的项目中对jsp和freemarker应用了CSRF,它运行良好。
以下是在spring-security.xml中指定Web网址的代码
<http xmlns="http://www.springframework.org/schema/security"
access-denied-page="/accessdenied" auto-config="true" use-expressions="true"
create-session="ifRequired">
<intercept-url pattern="/register" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<form-login login-page="/login"
authentication-failure-handler-ref="customAuthenticationFailureHandler"
authentication-success-handler-ref="mySimpleUrlAuthenticationSuccessHandler" />
<logout logout-success-url="/login?logout=true" delete-cookies="JSESSIONID"
invalidate-session="true" />
<csrf/>
</http>
以下是REST API中spring-security.xml的代码。我还尝试在REST HTTP标记中使用CSRF标记,但它也不能正常工作。
<http pattern="/api/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/addpatient" access="ROLE_ADMIN"
method="POST" />
<intercept-url pattern="/api/addpatient/image/{p_id}"
access="ROLE_ADMIN" method="POST" />
<intercept-url pattern="/api/patients" access="ROLE_ADMIN"
method="GET" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<!-- <csrf /> -->
<!-- <http-basic/> <form-login login-processing-url="/api" authentication-success-handler-ref="mySuccessHandler"
authentication-failure-handler-ref="myFailureHandler" /> -->
</http>
REST和Web网址中的所有POST方法都可以正常工作,我已经使用了安全性或添加到安全文件中。但我想要一个REST URL来注册新用户而不应用任何安全性。
当我从邮递员发送数据时,我得到以下控制台异常:
"10:09:48,749 DEBUG ExceptionTranslationFilter:115 - Chain processed normally
10:09:48,749 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed
10:10:10,723 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/adduser'; against '/oauth/token'
10:10:10,726 DEBUG AntPathRequestMatcher:145 - Checking match of request : '/adduser'; against '/api/**'
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 1 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:10:10,726 DEBUG HttpSessionSecurityContextRepository:136 - No HttpSession currently exists
10:10:10,726 DEBUG HttpSessionSecurityContextRepository:90 - No SecurityContext was available from the HttpSession: null. A new one will be created.
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 2 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
10:10:10,726 DEBUG FilterChainProxy:337 - /adduser at position 3 of 13 in additional filter chain; firing Filter: 'CsrfFilter'
10:10:10,727 DEBUG CsrfFilter:95 - Invalid CSRF token found for http://localhost:1522/si-server/adduser
enter into denied page
10:10:10,731 DEBUG cache:83 - Could not find template in cache, creating new one; id=["denied.ftl"["en_US",Cp1252,parsed] ]
10:10:10,791 DEBUG HttpSessionSecurityContextRepository:300 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
10:10:10,792 DEBUG HttpSessionSecurityContextRepository:300 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
10:10:10,797 DEBUG SecurityContextPersistenceFilter:97 - SecurityContextHolder now cleared, as request processing completed"
P.S。 只有没有安全性的REST与我正在做同样事情的网址形成对比。
答案 0 :(得分:0)
为什么不尝试添加角色&#34; ROLE_ANONYMOUS&#34;因为您不希望将安全性应用于URL&#34; / adduser&#34;。
<intercept-url pattern="/adduser*" access="ROLE_ANONYMOUS"/>