提问人:Giovanni Grana 提问时间:11/2/2023 最后编辑:Giovanni Grana 更新时间:11/8/2023 访问量:83
CSRF 不会被 .csrf().disable() 禁用
CSRF doesn't get disabled by .csrf().disable()
问:
我目前正在使用带有Spring Security的Springboot 1.5.8,并且正在测试基本身份验证。
我编写了一个简单的函数,允许所有经过身份验证的请求使用测试函数:
@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth{
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin().disable()
.csrf().disable()
.httpBasic()
.and()
.authorizeRequests().anyRequest().authenticated();
}
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("test")
.password("{noop}test");
}
}
并且应用程序设置为不将自动生成的密码用于:
@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })
然而,当我尝试通过 Postman 对任何 url 的请求进行 POST 请求时,我收到一个 403 说“在请求参数”_csrf“或标头”X-CSRF-TOKEN“上发现了无效的 CSRF 令牌'null'。 我无法在任何其他帖子中找到解决方案,我现在甚至不确定我是否在这样做,因为我使用的版本很旧(不幸的是我无法更改它)
PS 我还试图明确告诉它不要使用类似的解决方案来检查它,你可以在这里找到,但我仍然得到同样的错误
P.S.S. pom.xml 这里
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.8.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com</groupId>
<artifactId>authTest</artifactId>
<name>test</name>
<description>basic auth test</description>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<dependency>
<groupId>net.sourceforge.tess4j</groupId>
<artifactId>tess4j</artifactId>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.apache.pdfbox</groupId>
<artifactId>pdfbox</artifactId>
<version>2.0.0</version>
</dependency>
<dependency> <!-- juli fot tomcat 7-->
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-juli</artifactId>
<version>7.0.59</version>
</dependency>
<dependency>
<groupId>me.xdrop</groupId>
<artifactId>fuzzywuzzy</artifactId>
<version>1.4.0</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
<finalName>${project.artifactId}</finalName>
</build>
</project>
更新:这现在可以工作了,但它也忽略了我为用户设置的密码
@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth extends WebSecurityConfigurerAdapter{
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.httpBasic()
.and()
.authorizeRequests().anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("test")
.password("{noop}test")
.roles("USER");
}
}
更新 2:现在工作正常,我还必须指定会话策略
@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.cors().and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic().and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("test")
.password("test") // Use {noop} for plain text password (for simplicity)
.roles("USER");
}
}
答:
0赞
Giovanni Grana
11/8/2023
#1
我能够通过使用 Spring Security 的旧方法来解决该问题,并且还解决了会话问题(让以前经过身份验证的用户不重复授权),就像在这里所做的那样设置
@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth extends WebSecurityConfigurerAdapter {//Use WSCA in Spring Security 4.x
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()//Disable csrf
.cors().and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic().and()
.sessionManagement()//Specify the session policy or else it wont ask for dredentials in the next request
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("test")
.password("test")
.roles("USER");//Specify the role even if not used
}
}
评论
(exclude = {SecurityAutoConfiguration.class }SpringBootApplcationWebSecurityConfigurerAdapterWebSecurityConfigurerAdapterError creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalArgumentException: Cannot pass a null GrantedAuthority collection