过滤器在播放后禁用它仍会过滤POST

时间:2018-05-28 01:03:15

标签: java scala playframework http-headers

遇到播放和Http过滤器的问题,我已经使用了几种方法来禁用它,但它一直声称过滤器已启用。 有没有其他方法来解释它我没试过....

这是我的application.conf文件

    play.filters {

  # Enabled filters are run automatically against Play.
  # CSRFFilter, AllowedHostFilters, and SecurityHeadersFilters are enabled by default.
  #enabled += filters.ExampleFilter

  # Disabled filters remove elements from the enabled list.
  disabled += filters.ExampleFilter

  ## CORS filter configuration
  # https://www.playframework.com/documentation/latest/CorsFilter
  # ~~~~~
  # CORS is a protocol that allows web applications to make requests from the browser
  # across different domains.
  # NOTE: You MUST apply the CORS configuration before the CSRF filter, as CSRF has
  # dependencies on CORS settings.
  cors {
    # Filter paths by a whitelist of path prefixes
    #pathPrefixes = ["/some/path", ...]

    # The allowed origins. If null, all origins are allowed.
    allowedOrigins = null
    #  ["http://www.example.com"]

    # The allowed HTTP methods. If null, all methods are allowed
    #allowedHttpMethods = ["GET", "POST"]
    play.filters.disabled += "play.filters.cors.CORSFilter"
  }

  ## CSRF Filter
  # https://www.playframework.com/documentation/latest/ScalaCsrf#Applying-a-global-CSRF-filter
  # https://www.playframework.com/documentation/latest/JavaCsrf#Applying-a-global-CSRF-filter
  # ~~~~~
  # Play supports multiple methods for verifying that a request is not a CSRF request.
  # The primary mechanism is a CSRF token. This token gets placed either in the query string
  # or body of every form submitted, and also gets placed in the users session.
  # Play then verifies that both tokens are present and match.
  csrf {
    # Sets the cookie to be sent only over HTTPS
    #cookie.secure = true

    # Defaults to CSRFErrorHandler in the root package.
    #errorHandler = MyCSRFErrorHandler
    play.filters.disabled += "play.filters.csrf.CSRFFilter"
  }


  play.filters.disabled += "play.filters.hosts.AllowedHostsFilter"




  play.filters.enabled=[]



  ## Security headers filter configuration
  # https://www.playframework.com/documentation/latest/SecurityHeaders
  # ~~~~~
  # Defines security headers that prevent XSS attacks.
  # If enabled, then all options are set to the below configuration by default:
  headers {
    # The X-Frame-Options header. If null, the header is not set.
    #frameOptions = "DENY"

    # The X-XSS-Protection header. If null, the header is not set.
    #xssProtection = "1; mode=block"

    # The X-Content-Type-Options header. If null, the header is not set.
    #contentTypeOptions = "nosniff"

    # The X-Permitted-Cross-Domain-Policies header. If null, the header is not set.
    #permittedCrossDomainPolicies = "master-only"

    # The Content-Security-Policy header. If null, the header is not set.
    #contentSecurityPolicy = "default-src 'self'"
  }

我甚至在路线的顶部禁用了它:这是路线文件:

GET     /                           controllers.ShopController.index

+ nocsrf
GET    /products                           controllers.ShopController.listOfProducts()
+ nocsrf
GET    /products/new                       controllers.ShopController.createNewProduct()

+ nocsrf
POST   /products/new                       controllers.ShopController.saveProduct()
# An example controller showing how to use dependency injection
GET     /count                      controllers.CountController.count
# An example controller showing how to write asynchronous code
GET     /message                    controllers.AsyncController.message

# Map static resources from the /public folder to the /assets URL path
GET     /assets/*file               controllers.Assets.versioned(path="/public", file: Asset)

这是stacktrace :: 

info] application - ApplicationTimer demo: Stopping application at 2018-05-28T00:46:22.634Z after 245s.
[info] application - Shutting down connection pool.
[info] application - Creating Pool for datasource 'default'
[info] p.a.d.DefaultDBApi - Database [default] connected at jdbc:h2:mem:play
[info] application - ApplicationTimer demo: Starting application at 2018-05-28T00:46:23.076Z
[warn] o.h.v.m.ParameterMessageInterpolator - HV000184: ParameterMessageInterpolator has been chosen, EL interpolation will not be supported
[info] p.a.h.EnabledFilters - Enabled Filters (see <https://www.playframework.com/documentation/latest/Filters>):

    play.filters.csrf.CSRFFilter
    play.filters.headers.SecurityHeadersFilter
    play.filters.hosts.AllowedHostsFilter

[info] play.api.Play - Application started (Dev)

我无法理解为什么它不能禁用,重新编译甚至重启sbt ....任何帮助都表示赞赏。谢谢。

1 个答案:

答案 0 :(得分:0)

您似乎使用了播放seed模板来开发Play应用程序。您可以删除application.conf中的所有内容,然后在此基础上进行构建;因为它确实触及了Play的不同方面。您甚至可以在整个application.conf过滤器中使用以下内容:

play.filters.disabled += "play.filters.csrf.CSRFFilter" 
play.filters.disabled += "play.filters.headers.SecurityHeadersFilter"
play.filters.disabled += "play.filters.hosts.AllowedHostsFilter"
play.filters.disabled += "filters.ExampleFilter"

还要更清晰的代码摆脱所有Filter相关的类,因为你不想要/使用它们。然后,执行clean / compile / run查看结果:

sbt clean compile run
相关问题
最新问题