我用彈簧啓動器與不同的端口像以下彈簧引導驅動器禁用CSRF
server.port=8080
management.port=8989
而在應用程序中,我想用enable-csrf=true,但我不希望在驅動器使用csrf港口。因爲我想使用批量POST請求給jolokia。
只有排除/actuator不聰明。
http.csrf().ignoringAntMatchers("/actuator/**");
像以下屬性是爲我好(BT management.security.enable-csrf是不存在的)。
security.enable-csrf=true
management.security.enable-csrf=false
有沒有什麼好的解決方案?
既然你有不同的管理端口,你可以簡單地禁用CSRF爲:
@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
return new AndRequestMatcher(requestMatchers);
}
private static RequestMatcher not(RequestMatcher requestMatcher) {
return new NegatedRequestMatcher(requestMatcher);
}
private final ManagementServerProperties managementServerProperties;
public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(
allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
// other configuration
}
private RequestMatcher accessingManagementPort() {
return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
}
}
我知道你正在嘗試做的,這是一個有點棘手...... [可能的解決方法(HTTP:/ /stackoverflow.com/questions/31143703/spring-boot-management-port-and-spring-security) – dkanejs