spring-boot-actuator禁用csrf

时间:2016-03-06 03:36:31

标签: spring-security csrf spring-boot-actuator

我使用了不同端口的spring-boot-actuator,如下所示

server.port=8080
management.port=8989

在应用程序中,我想使用enable-csrf=true,但我不想在执行器端口中使用csrf。因为我想对jolokia使用批量POST请求。

仅排除/actuator并不聪明。

http.csrf().ignoringAntMatchers("/actuator/**");

喜欢以下属性对我有好处(bt management.security.enable-csrf不存在)。

security.enable-csrf=true
management.security.enable-csrf=false

有什么好的解决方案吗?

1 个答案:

答案 0 :(得分:1)

由于您拥有不同的管理端口,因此您只需禁用CSRF:

@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
        return new AndRequestMatcher(requestMatchers);
    }

    private static RequestMatcher not(RequestMatcher requestMatcher) {
        return new NegatedRequestMatcher(requestMatcher);
    }

    private final ManagementServerProperties managementServerProperties;

    public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
        this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().requireCsrfProtectionMatcher(
                allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
        // other configuration
    }

    private RequestMatcher accessingManagementPort() {
        return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
    }

}