Spring Security 3.2 CSRF disable for specific URLs
Enabled CSRF in my Spring MVC application using Spring security 3.2.
My spring-security.xml
-
Use security="none". for e.g in spring-security-config.xml
<security:intercept-url pattern="/*/verify" security="none" />讨论(0) -
I know this is not a direct answer, but people (as me) usually don't specify spring's version when searching for this kinds of questions. So, since spring security a method exists that lets ignore some routes:
The following will ensure CSRF protection ignores:
- Any GET, HEAD, TRACE, OPTIONS (this is the default)
- We also explicitly state to ignore any request that starts with "/sockjs/"
http .csrf() .ignoringAntMatchers("/sockjs/**") .and() ...讨论(0) -
I am using Spring Security v4.1. After a lot of reading and testing, I disable the CSRF security feature for specific URLs using XML configuration.
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.0.xsd"> <http pattern="/files/**" security="none" create-session="stateless"/> <http> <intercept-url pattern="/admin/**" access="hasAuthority('GenericUser')" /> <intercept-url pattern="/**" access="permitAll" /> <form-login login-page="/login" login-processing-url="/login" authentication-failure-url="/login" default-target-url="/admin/" password-parameter="password" username-parameter="username" /> <logout delete-cookies="JSESSIONID" logout-success-url="/login" logout-url="/admin/logout" /> <http-basic /> <csrf request-matcher-ref="csrfMatcher"/> </http> <beans:bean id="csrfMatcher" class="org.springframework.security.web.util.matcher.OrRequestMatcher"> <beans:constructor-arg> <util:list value-type="org.springframework.security.web.util.matcher.RequestMatcher"> <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <beans:constructor-arg name="pattern" value="/rest/**"/> <beans:constructor-arg name="httpMethod" value="POST"/> </beans:bean> <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <beans:constructor-arg name="pattern" value="/rest/**"/> <beans:constructor-arg name="httpMethod" value="PUT"/> </beans:bean> <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <beans:constructor-arg name="pattern" value="/rest/**"/> <beans:constructor-arg name="httpMethod" value="DELETE"/> </beans:bean> </util:list> </beans:constructor-arg> </beans:bean> //... </beans:bean>With the above configuration, I enable the CSRF security only for POST|PUT|DELETE requests of all URLs which start with
/rest/.讨论(0) -
I hope that my answer can help someone else. I found this question searching for How to disable CSFR for specfic URLs in Spring Boot.
I used the solution described here: http://blog.netgloo.com/2014/09/28/spring-boot-enable-the-csrf-check-selectively-only-for-some-requests/
This is the Spring Security configuration that allow me to disable the CSFR control on some URLs:
@Configuration @EnableWebMvcSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // Build the request matcher for CSFR protection RequestMatcher csrfRequestMatcher = new RequestMatcher() { // Disable CSFR protection on the following urls: private AntPathRequestMatcher[] requestMatchers = { new AntPathRequestMatcher("/login"), new AntPathRequestMatcher("/logout"), new AntPathRequestMatcher("/verify/**") }; @Override public boolean matches(HttpServletRequest request) { // If the request match one url the CSFR protection will be disabled for (AntPathRequestMatcher rm : requestMatchers) { if (rm.matches(request)) { return false; } } return true; } // method matches }; // new RequestMatcher // Set security configurations http // Disable the csrf protection on some request matches .csrf() .requireCsrfProtectionMatcher(csrfRequestMatcher) .and() // Other configurations for the http object // ... return; } // method configure @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { // Authentication manager configuration // ... } }It works with Spring Boot 1.2.2 (and Spring Security 3.2.6).
讨论(0) -
Temporarily this simple line could be handy:
<http pattern="/home/test**" security="none" />讨论(0) -
<http ...> <csrf request-matcher-ref="csrfMatcher"/> <headers> <frame-options policy="SAMEORIGIN"/> </headers> ... </http> <b:bean id="csrfMatcher" class="AndRequestMatcher"> <b:constructor-arg value="#{T(org.springframework.security.web.csrf.CsrfFilter).DEFAULT_CSRF_MATCHER}"/> <b:constructor-arg> <b:bean class="org.springframework.security.web.util.matcher.NegatedRequestMatcher"> <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"> <b:constructor-arg value="/chat/**"/> </b:bean> </b:bean> </b:constructor-arg> </b:bean>mean of
http .csrf() // ignore our stomp endpoints since they are protected using Stomp headers .ignoringAntMatchers("/chat/**")example from : https://docs.spring.io/spring-security/site/docs/4.1.x/reference/htmlsingle/
讨论(0)
加载中...
- 热议问题