我用弹簧启动器与不同的端口像以下弹簧引导驱动器禁用CSRF
server.port=8080
management.port=8989
而在应用程序中,我想用enable-csrf=true,但我不希望在驱动器使用csrf港口。因为我想使用批量POST请求给jolokia。
只有排除/actuator不聪明。
http.csrf().ignoringAntMatchers("/actuator/**");
像以下属性是为我好(BT management.security.enable-csrf是不存在的)。
security.enable-csrf=true
management.security.enable-csrf=false
有没有什么好的解决方案?
既然你有不同的管理端口,你可以简单地禁用CSRF为:
@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
return new AndRequestMatcher(requestMatchers);
}
private static RequestMatcher not(RequestMatcher requestMatcher) {
return new NegatedRequestMatcher(requestMatcher);
}
private final ManagementServerProperties managementServerProperties;
public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(
allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
// other configuration
}
private RequestMatcher accessingManagementPort() {
return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
}
}
我知道你正在尝试做的,这是一个有点棘手...... [可能的解决方法(HTTP:/ /stackoverflow.com/questions/31143703/spring-boot-management-port-and-spring-security) – dkanejs