如何检查csrf安全性是否处于活动状态?

aelbi1ox  于 2021-09-29  发布在  Java
关注(0)|答案(0)|浏览(225)

在我的SpringBoot项目中,我试图实现csfr安全性。特别是,该项目只通过resttemplate调用端点((RESTAPI get和post)。

//CONTROLLER
@GetMapping("/RT_Get1")
public void getWithRestTemplateGet1() throws Exception{
    try {
        fourStoreService.getWithRestTemplateGet1();
        } catch (final Exception e) {
        this.errorLog(methodName, e);
        throw e;
        }
    }

//SERVICE
@ResponseBody
    public void getWithRestTemplateGet1() {
        try {
            String url = protocol + ip + root + gets.get(0);
            HttpHeaders headers = new HttpHeaders();
            headers.setBasicAuth(username, password);
            HttpEntity request = new HttpEntity(headers);
            try {
                if (url.startsWith("https")) {
                    restTemplate = getRestTemplateForSelfSsl();
                } else {
                    restTemplate = new RestTemplate();
                }
                ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.GET, request, String.class);
                HttpStatus statusCode = response.getStatusCode();
                logger.info("STATUS GET1: " + statusCode);
            } catch (HttpStatusCodeException e) {
                logger.error(e.getMessage());
            }
        } catch (Exception e) {
            logger.error(e.getMessage());
        }
    }

我实现了如下csrf配置类:

public class CSRFSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Value("${security.enable-csrf}")
    private boolean csrfEnabled;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").hasAnyRole("USER").and().formLogin().loginPage("/login")
                .permitAll();

        if (csrfEnabled) {
            http.csrf().disable();
        }
    }

激活和停用变量在application.yml中设置。

security:
  enable:
    csrf: false

但我怎么知道csfr安全是否有效。。。当我使用rest模板打电话时,可以添加什么类型的日志?请帮帮我。

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题