我使用了不同端口的spring-boot-actuator,如下所示
server.port=8080
management.port=8989
在应用程序中,我想使用enable-csrf=true
,但我不想在执行器端口中使用csrf
。因为我想对jolokia使用批量POST请求。
仅排除/actuator
并不聪明。
http.csrf().ignoringAntMatchers("/actuator/**");
喜欢以下属性对我有好处(bt management.security.enable-csrf
不存在)。
security.enable-csrf=true
management.security.enable-csrf=false
有什么好的解决方案吗?
答案 0 :(得分:1)
由于您拥有不同的管理端口,因此您只需禁用CSRF:
@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
return new AndRequestMatcher(requestMatchers);
}
private static RequestMatcher not(RequestMatcher requestMatcher) {
return new NegatedRequestMatcher(requestMatcher);
}
private final ManagementServerProperties managementServerProperties;
public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().requireCsrfProtectionMatcher(
allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
// other configuration
}
private RequestMatcher accessingManagementPort() {
return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
}
}