Spring Security 3.2 CSRF disable for specfic URLs

问题:

Enabled CSRF in my Spring MVC application using Spring security 3.2.

My spring-security.xml

<http>  <intercept-url pattern="/**/verify"  requires-channel="https"/>  <intercept-url pattern="/**/login*"  requires-channel="http"/>  ...  ...  <csrf /> </http> 

Trying to disable CSRF for requests that contain 'verify' in request URL.

MySecurityConfig.java

@Configuration @EnableWebSecurity public class MySecurityConfig extends WebSecurityConfigurerAdapter {  private CsrfMatcher csrfRequestMatcher = new CsrfMatcher();  @Override public void configure(HttpSecurity http) throws Exception {      http.csrf().requireCsrfProtectionMatcher(csrfRequestMatcher);  }  class CsrfMatcher implements RequestMatcher {     @Override     public boolean matches(HttpServletRequest request) {          if (request.getRequestURL().indexOf("verify") != -1)             return false;         else if (request.getRequestURL().indexOf("homePage") != -1)                      return false;          return true;     } }  } 

Csrf filter validates CSRF token that is submitted from 'verify' and Invalid token exception (403) is thrown as I'm submitting request to https from http. How can I disable csrf token authentication in such a scenario ?

回答1:

I know this is not a direct answer, but people (as me) usually don't specify spring's version when searching for this kinds of questions. So, since spring security a method exists that lets ignore some routes:

The following will ensure CSRF protection ignores:

1. Any GET, HEAD, TRACE, OPTIONS (this is the default)
2. We also explicitly state to ignore any request that starts with "/sockjs/"

      http          .csrf()              .ignoringAntMatchers("/sockjs/**")              .and()          ... 

回答2:

I hope that my answer can help someone else. I found this question searching for How to disable CSFR for specfic URLs in Spring Boot.

I used the solution described here: http://blog.netgloo.com/2014/09/28/spring-boot-enable-the-csrf-check-selectively-only-for-some-requests/

This is the Spring Security configuration that allow me to disable the CSFR control on some URLs:

@Configuration @EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter {    @Override   protected void configure(HttpSecurity http) throws Exception {      // Build the request matcher for CSFR protection     RequestMatcher csrfRequestMatcher = new RequestMatcher() {        // Disable CSFR protection on the following urls:       private AntPathRequestMatcher[] requestMatchers = {           new AntPathRequestMatcher("/login"),           new AntPathRequestMatcher("/logout"),           new AntPathRequestMatcher("/verify/**")       };        @Override       public boolean matches(HttpServletRequest request) {         // If the request match one url the CSFR protection will be disabled         for (AntPathRequestMatcher rm : requestMatchers) {           if (rm.matches(request)) { return false; }         }         return true;       } // method matches      }; // new RequestMatcher      // Set security configurations     http       // Disable the csrf protection on some request matches       .csrf()         .requireCsrfProtectionMatcher(csrfRequestMatcher)         .and()       // Other configurations for the http object       // ...      return;   } // method configure     @Autowired   public void configureGlobal(AuthenticationManagerBuilder auth)        throws Exception {      // Authentication manager configuration       // ...    }  } 

It works with Spring Boot 1.2.2 (and Spring Security 3.2.6).

回答3:

Here is a well-done blog about how to disable the CSRF-check for some URLs, using xml configuration:

http://blogs.sourceallies.com/2014/04/customizing-csrf-protection-in-spring-security/

Unfortunately it does not seem to work with my version Spring Security 3.2.8.

回答4:

I am using Spring Security v4.1. After a lot of reading and testing I disable the crcf security feature for specific urls using xml configuration.

<beans:beans xmlns="http://www.springframework.org/schema/security"              xmlns:beans="http://www.springframework.org/schema/beans"              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"              xmlns:util="http://www.springframework.org/schema/util"              xsi:schemaLocation="     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd     http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd">      <http pattern="/files/**" security="none" create-session="stateless"/>      <http>         <intercept-url pattern="/admin/**" access="hasAuthority('GenericUser')" />         <intercept-url pattern="/**" access="permitAll" />         <form-login              login-page="/login"              login-processing-url="/login"             authentication-failure-url="/login"             default-target-url="/admin/"             password-parameter="password"             username-parameter="username"         />         <logout delete-cookies="JSESSIONID" logout-success-url="/login" logout-url="/admin/logout" />         <http-basic />         <csrf request-matcher-ref="csrfMatcher"/>     </http>      <beans:bean id="csrfMatcher" class="org.springframework.security.web.util.matcher.OrRequestMatcher">         <beans:constructor-arg>             <util:list value-type="org.springframework.security.web.util.matcher.RequestMatcher">                 <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">                     <beans:constructor-arg name="pattern" value="/rest/**"/>                     <beans:constructor-arg name="httpMethod" value="POST"/>                 </beans:bean>                 <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">                     <beans:constructor-arg name="pattern" value="/rest/**"/>                     <beans:constructor-arg name="httpMethod" value="PUT"/>                 </beans:bean>                 <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">                     <beans:constructor-arg name="pattern" value="/rest/**"/>                     <beans:constructor-arg name="httpMethod" value="DELETE"/>                 </beans:bean>             </util:list>         </beans:constructor-arg>     </beans:bean>      //...  </beans:bean> 

With the above configuration I enable the crcf security only for POST|PUT|DELETE requests of all urls which start with /rest/.

回答5:

Temporarily this simple line could be handy:

<http pattern="/home/test**" security="none" /> 

回答6:

Use security="none". for e.g in spring-security-config.xml

<security:intercept-url pattern="/*/verify" security="none" /> 

回答7:

Which ever class extends WebSecurityConfigurerAdapter

Just add this

@Override  public void configure(WebSecurity web) throws Exception {  web.ignoring()          .antMatchers(HttpMethod.OPTIONS, "/**")         .antMatchers("/app/**/*.{js,html}")         .antMatchers("/bower_components/**")         .antMatchers("/i18n/**")         .antMatchers("/content/**")         .antMatchers("/swagger-ui/index.html")         .antMatchers("/test/**")         .antMatchers("/api/payu-gateway-success")         .antMatchers("/api/payu-gateway-failure")         .antMatchers("/api/payu-gateway-dispute")         .antMatchers("/api/payu-gateway-refund"); } 

And the ones that i want to secure are are in the method:

@Override protected void configure(HttpSecurity http) throws Exception {      http         .csrf()//.disable()         .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())     .and()         .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)         .exceptionHandling()         .authenticationEntryPoint(http401UnauthorizedEntryPoint())     .and()         .rememberMe()         .rememberMeServices(rememberMeServices)         .rememberMeParameter("remember-me")         .key(jHipsterProperties.getSecurity().getRememberMe().getKey())     .and()         .formLogin()         .authenticationDetailsSource(authenticationDetailsSource)         .loginProcessingUrl("/api/authentication")         // .successHandler(ajaxAuthenticationSuccessHandler())         .successHandler(ajaxAuthenticationSuccessHandler())         .failureHandler(ajaxAuthenticationFailureHandler())         .usernameParameter("j_username")         .passwordParameter("j_password")         .permitAll()     .and()         .logout()         .logoutUrl("/api/logout")         .logoutSuccessHandler(ajaxLogoutSuccessHandler())         .permitAll()     .and()         .headers()         .frameOptions()         .disable()     .and()         .authorizeRequests()         .antMatchers("/api/register").permitAll()         .antMatchers("/api/activate").permitAll()         .antMatchers("/api/authenticate").permitAll()         .antMatchers("/api/account/reset-password/init").permitAll()         .antMatchers("/api/account/reset-password/finish").permitAll()         .antMatchers("/api/profile-info").permitAll()         .antMatchers("/api/**").authenticated()         .antMatchers("/management/health").permitAll()         // #later         //.antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)         .antMatchers("api/myServlet").permitAll()         .antMatchers("/management/**").permitAll()         .antMatchers("/v2/api-docs/**").permitAll()         .antMatchers("/swagger-resources/configuration/ui").permitAll()         .antMatchers("/swagger-ui/index.html").hasAuthority(AuthoritiesConstants.ADMIN);  } 

文章来源: Spring Security 3.2 CSRF disable for specfic URLs