问题
For my project I am trying to make a simple service which can do POST, GET and DELETE requests. I'm not interested in the extra security layer added by CSRF, so I want it turned off. I know that by default it should be off, but it does not seem to behave. Every time I make a post request, it gives me the following output:
/users/insert at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 2 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
o.s.security.web.FilterChainProxy : /users/insert at position 3 of 15 in additional filter chain; firing Filter: 'HeaderWriterFilter'
o.s.security.web.FilterChainProxy : /users/insert at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for http://localhost:8080/users/insert
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@6c3a524b
w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
If I do a GET request it works just fine.
My pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.webservices</groupId>
<artifactId>restservice</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>restservice</name>
<description>Rest webservice</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-hateoas</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>5.3.2.RELEASE</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-rest-hal-browser</artifactId>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
In my application.properties I've tried security.enable.csrf=false, but it does not work.
回答1:
CSRF stands for Cross-Site Request Forgery which is default enabled while using the Spring Security as follows,
public CsrfConfigurer<HttpSecurity> csrf() throws Exception {
ApplicationContext context = getContext();
return getOrApply(new CsrfConfigurer<>(context));
}
Completly Disable
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()...
}
Partially Enabled
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")...
}
Include CSRF
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().ignoringAntMatchers("csrf-disabled-endpoints")
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())...
}
You may like to explore more details here What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
回答2:
CSRF protection is enabled by default. There is no way to disable the csrf feature by configuring in application.properties by default. As Patel points out, this must be done by disabling csrf on your HttpSecurity configuration.
See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-csrf-configure-disable on how to do this using either XML or Java configuration.
You may create your own application.properties entry by using an @Value within your java configuration. e.g.
@Value("${security.enable.csrf}") private boolean csrfEnabled;
回答3:
The answer from Patel Romil fixed my problem!
Have you added the csrf.disable() in configure(HttpSecurity http) method?
来源:https://stackoverflow.com/questions/62794914/spring-security-using-csrf-token-even-though-not-specified-and-turned-off