通过仅为两个路径

时间:2018-04-04 11:05:52

标签: java spring spring-boot csrf

我在stackoverflow上搜索了这个问题,但我发现问题在哪里启用了csrf并忽略了某个路径。

我想做的恰恰相反。我有很多端点,我想为所有路径禁用csrf并只启用少数路径。

我正在使用spring boot并且有一个WebSecurityConfig类。

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests()
                .antMatchers(listOfEndPoints).permitAll()
                .anyRequest().fullyAuthenticated();
        http.httpBasic();
        http.csrf().disable();
    }
}

所以,我想为所有可能的端点禁用csrf,并在另一个只有少数路径(两个或三个路径)被csrf保护的函数中覆盖。

1 个答案:

答案 0 :(得分:0)

好吧,我猜你可以将你的安全配置拆分成多个内部静态类来实现这个目的:

/**
 * @author slemoine
 */
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Configuration
    @Order(1)
    public static class CsrfDisabledSecurityConfig extends WebSecurityConfigurerAdapter {

        private static final String MATCHER = "/nocsrf/**";

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.antMatcher(MATCHER).authorizeRequests()
                    .anyRequest()
                    .authenticated().and()
                    .csrf().disable();
        }
    }

    @Configuration
    @Order(2)
    public static class WithCsrfSecurityConfig extends WebSecurityConfigurerAdapter {

        private static final String MATCHER = "/withcsrf/**";

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.antMatcher(MATCHER).authorizeRequests()
                    .anyRequest().authenticated();
        }
    }

    @Configuration
    @Order(3)
    public static class VariousUriWithCsrfDisabledSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                    .antMatcher("/path1/**")
                    .antMatcher("/path2/**")
                    .authorizeRequests()
                    .anyRequest().authenticated()
                    .and().csrf().disable();
        }
    }
}

前两个静态内部配置显示如何在公共根路径上设置或禁用csrf。第三个在某些特定路径上禁用csrf。

或者,如果您想要更直接的实施来回答您的问题:

/**
 * @author slemoine
 */
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Configuration
    @Order(1)
    public static class VariousUriWithCsrfEnabledSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http
                    .antMatcher("/path1/**")
                    .antMatcher("/path2/**")
                    .authorizeRequests()
                    .anyRequest().authenticated();

        }
    }

    @Configuration
    @Order(2)
    public static class CsrfDisabledSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {

            http.authorizeRequests()
                    .anyRequest()
                    .authenticated().and()
                    .csrf().disable();
        }
    }
}
相关问题
最新问题