我在使用csrf时遇到了问题,即使在春季配置中已将其禁用。 我的日志输出如下:
Invalid CSRF token found for http://localhost:8080/exercise/
我有这个弹簧配置
protected void configure(HttpSecurity http)throws Exception {
http.csrf().disable();
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/user/add").hasRole("ADMIN")
.antMatchers(HttpMethod.POST).hasAnyRole("ADMIN", "TRAINER")
.antMatchers(HttpMethod.DELETE).hasAnyRole("ADMIN", "TRAINER")
.antMatchers(HttpMethod.GET).permitAll()
.antMatchers(HttpMethod.PUT).permitAll()
.antMatchers(HttpMethod.HEAD).permitAll()
.antMatchers("/register/").authenticated()
.and()
.exceptionHandling()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
由于日志输出,似乎我已通过身份验证和授权:
Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@1ddb0b4b: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1ddb0b4b: Principal: com.brevisfit.api.model.user.User[ iduser=1 ]; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ADMIN, ROLE_TRAINER'
我对POST \ DELETE \ PUT请求有问题,因为它们引发了403响应,据我了解,该响应来自CsrfFilter.class
if (!csrfToken.getToken().equals(actualToken)) {
if (this.logger.isDebugEnabled()) {
this.logger.debug("Invalid CSRF token found for "
+ UrlUtils.buildFullRequestUrl(request));
}
对于请求,我使用的是邮递员。
答案 0 :(得分:0)
您的AuthenticationBuilder应该为@Autowired。
@Autowired
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(authenticationProvider());
}