Spring Boot CSRF不会被.csrf().disable()禁用

oxiaedzo  于 2023-11-17  发布在  Spring
关注(0)|答案(1)|浏览(118)

我目前正在使用 Springboot 1.5.8Spring Security,我正在测试基本的身份验证。
我写了一个简单的函数,允许所有经过身份验证的请求使用测试函数:

@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth{
    
    protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin().disable()
            .csrf().disable()
            .httpBasic()
            .and()
            .authorizeRequests().anyRequest().authenticated();
    }
    
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("test")
            .password("{noop}test");
    }
}

字符串
并且应用程序被设置为不使用自动生成的密码:

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })


然而,当我尝试通过Postman对任何URL的请求进行POST请求时,我得到一个403,说**“在请求参数'_csrf'或头'X-CSRF-TOKEN'上发现无效的CSRF令牌'null'”。即使它显然是停用。我还没有能够找到一个解决方案,在任何其他职位,我现在甚至不知道如果我这样做是正确的,因为我使用的版本是很老了(不幸的是,我不能改变它)
P.S.我也试图明确地告诉它不要使用类似的解决方案来检查它,你可以找到here,但我仍然得到了同样的错误
P.S.S. pom.xml here

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.5.8.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com</groupId>
    <artifactId>authTest</artifactId>
    <name>test</name>
    <description>basic auth test</description>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>
        <!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security -->
        <dependency>
        <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-validation</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>
        <dependency>
            <groupId>net.sourceforge.tess4j</groupId>
            <artifactId>tess4j</artifactId>
            <version>4.0.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.pdfbox</groupId>
            <artifactId>pdfbox</artifactId>
            <version>2.0.0</version>
        </dependency>
        <dependency> <!-- juli fot tomcat 7-->
            <groupId>org.apache.tomcat</groupId>
            <artifactId>tomcat-juli</artifactId>
            <version>7.0.59</version>
        </dependency>
        <dependency>
            <groupId>me.xdrop</groupId>
            <artifactId>fuzzywuzzy</artifactId>
            <version>1.4.0</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
        <finalName>${project.artifactId}</finalName>
    </build>

</project>

UPDATE:现在可以了,但也忽略了我为用户设置的密码

@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth extends WebSecurityConfigurerAdapter{
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .httpBasic()
            .and()
            .authorizeRequests().anyRequest().authenticated();
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("test")
            .password("{noop}test")
            .roles("USER");
    }
}

更新2:现在工作正常,我还必须指定会话策略

@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .cors().and()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .httpBasic().and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("test")
            .password("test") // Use {noop} for plain text password (for simplicity)
            .roles("USER");
    }
}

qxgroojn

qxgroojn1#

我能够通过使用Spring Security的旧方法解决这个问题,还通过设置会话just like it's done here解决了会话问题(让以前经过身份验证的用户不重复认证)。

@Configuration
@EnableWebSecurity
public class SecurityConfigurationBasicAuth extends WebSecurityConfigurerAdapter {//Use WSCA in Spring Security 4.x

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()//Disable csrf
            .cors().and()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .httpBasic().and()
            .sessionManagement()//Specify the session policy or else it wont ask for dredentials in the next request
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
            .withUser("test")
            .password("test")
            .roles("USER");//Specify the role even if not used
    }
}

字符串

相关问题