无法在Spring Security 3.2中禁用CSRF保护
很久以前,我通过添加来启用项目中的CSRF保护
<csrf />中的<http></http>:
<http auto-config='true'>
<csrf/> //enable CSRF protection
<headers/>
<!-- <intercept-url pattern="**" access="ROLE_ADMIN,ROLE_USER"/> -->
<form-login login-page="/login.jsp"/>
<remember-me key="bcp" use-secure-cookie="true"/>
<logout invalidate-session="true" logout-url="/logout" logout-success-url="/index.jsp"/>
<intercept-url pattern="/users" access="ROLE_ADMIN"/>
<intercept-url pattern="/user/*" access="ROLE_USER,ROLE_ADMIN"/>
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="false"/>
</session-management>
<!-- <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/> -->
</http>
今天,我想关闭CSRF保护。但是,我尝试了很多方法,但似乎仍然启用了CSRF保护。
显示CSRF保护的证据仍然打开,我看到CSRFFilter
在Tom4的Log4j日志记录中提到:
2017-09-03 12:52:33 INFO HttpSecurityBeanDefinitionParser:266 - Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.session.ConcurrentSessionFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 300, Root bean: class [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, Root bean: class [org.springframework.security.web.header.HeaderWriterFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 500, Root bean: class [org.springframework.security.web.csrf.CsrfFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 600, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 700, <org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>, order = 1100, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1500, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1900, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2000, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2100, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2200, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 2300]
2017-09-03 12:52:33 DEBUG XmlWebApplicationContext:543 - Bean factory for Root WebApplicationContext: org.springframework.beans.factory.support.DefaultListableBeanFactory@2d28ac29: defining beans [propertyConfigurer,dataSource,sqlSessionFactoryInfosec,mapperScanner,org.springframework.security.filterChains,org.springframework.security.filterChainProxy,org.springframework.security.web.DefaultSecurityFilterChain#0,org.springframework.security.web.DefaultSecurityFilterChain#1,org.springframework.security.web.PortMapperImpl#0,org.springframework.security.web.PortResolverImpl#0,org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0,org.springframework.security.authentication.ProviderManager#0,requestDataValueProcessor,org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0,org.springframework.security.web.context.HttpSessionSecurityContextRepository#0,org.springframework.security.core.session.SessionRegistryImpl#0,org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0,org.springframework.security.web.savedrequest.HttpSessionRequestCache#0,org.springframework.security.access.vote.AffirmativeBased#0,org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0,org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator#0,org.springframework.security.authentication.AnonymousAuthenticationProvider#0,org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices#0,org.springframework.security.authentication.RememberMeAuthenticationProvider#0,org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.userDetailsServiceFactory,org.springframework.security.web.DefaultSecurityFilterChain#2,org.springframework.security.authentication.dao.DaoAuthenticationProvider#0,org.springframework.security.authentication.DefaultAuthenticationEventPublisher#0,org.springframework.security.authenticationManager,myUserDetailService,webexpressionHandler]; root of factory hierarchy
2017-09-03 12:52:33 DEBUG DefaultListableBeanFactory:669 - Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@2d28ac29: defining beans [propertyConfigurer,dataSource,sqlSessionFactoryInfosec,mapperScanner,org.springframework.security.filterChains,org.springframework.security.filterChainProxy,org.springframework.security.web.DefaultSecurityFilterChain#0,org.springframework.security.web.DefaultSecurityFilterChain#1,org.springframework.security.web.PortMapperImpl#0,org.springframework.security.web.PortResolverImpl#0,org.springframework.security.config.authentication.AuthenticationManagerFactoryBean#0,org.springframework.security.authentication.ProviderManager#0,requestDataValueProcessor,org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0,org.springframework.security.web.context.HttpSessionSecurityContextRepository#0,org.springframework.security.core.session.SessionRegistryImpl#0,org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy#0,org.springframework.security.web.savedrequest.HttpSessionRequestCache#0,org.springframework.security.access.vote.AffirmativeBased#0,org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0,org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator#0,org.springframework.security.authentication.AnonymousAuthenticationProvider#0,org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices#0,org.springframework.security.authentication.RememberMeAuthenticationProvider#0,org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.userDetailsServiceFactory,org.springframework.security.web.DefaultSecurityFilterChain#2,org.springframework.security.authentication.dao.DaoAuthenticationProvider#0,org.springframework.security.authentication.DefaultAuthenticationEventPublisher#0,org.springframework.security.authenticationManager,myUserDetailService,webexpressionHandler,userMapper,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.importAwareProcessor,org.springframework.context.annotation.ConfigurationClassPostProcessor.enhancedConfigurationProcessor]; root of factory hierarchy
2017-09-03 12:52:34 DEBUG DefaultListableBeanFactory:220 - Creating shared instance of singleton bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:34 DEBUG DefaultListableBeanFactory:449 - Creating instance of bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:34 DEBUG DefaultListableBeanFactory:523 - Eagerly caching bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0' to allow for resolving potential circular references
2017-09-03 12:52:34 DEBUG DefaultListableBeanFactory:477 - Finished creating instance of bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:35 DEBUG DefaultListableBeanFactory:249 - Returning cached instance of singleton bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:35 DEBUG DefaultListableBeanFactory:249 - Returning cached instance of singleton bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:35 DEBUG DefaultListableBeanFactory:249 - Returning cached instance of singleton bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:35 DEBUG DefaultListableBeanFactory:249 - Returning cached instance of singleton bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:35 INFO DefaultSecurityFilterChain:28 - Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@179474ff, org.springframework.security.web.session.ConcurrentSessionFilter@7bac2803, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@de53cc3, org.springframework.security.web.header.HeaderWriterFilter@26626124, org.springframework.security.web.csrf.CsrfFilter@12e5ca9b, org.springframework.security.web.authentication.logout.LogoutFilter@81314f4, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@2cb43211, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@196a0de2, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25e7ad46, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@35c3a9ba, org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter@38ea21a9, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@71a62e4b, org.springframework.security.web.session.SessionManagementFilter@693320a4, org.springframework.security.web.access.ExceptionTranslationFilter@4115ca41, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@281b4ca3]
2017-09-03 12:52:35 DEBUG DefaultListableBeanFactory:249 - Returning cached instance of singleton bean 'org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository#0'
2017-09-03 12:52:38 DEBUG FilterChainProxy:337 - /index.jsp at position 5 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2017-09-03 12:52:39 DEBUG FilterChainProxy:337 - /index.jsp at position 5 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2017-09-03 12:52:39 DEBUG FilterChainProxy:337 - /index.jsp at position 5 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2017-09-03 12:52:47 DEBUG FilterChainProxy:337 - /login.jsp at position 5 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2017-09-03 12:52:49 DEBUG FilterChainProxy:337 - /j_spring_security_check at position 5 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2017-09-03 12:52:49 DEBUG CsrfFilter:95 - Invalid CSRF token found for http://localhost:8080/j_spring_security_check
关闭CSRF保护的方法我尝试过包括:
- 在
<csrf/>之间删除行<http></http>。不行,还是 相同的日志环境CSRF。 -
使用基于Java的配置(我在禁用行设置断点 但是从来没有打过:
package infosec.utils; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable(); } }
在org.springframework.security.web.csrf.CsrfFilter处设置断点
构造函数,它被击中,但我不知道它在哪里调用:
0 个答案:
没有答案
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?