问题:
如何在Spring Security 4中通过XML配置仅对特定URL模式禁用CSRF?
燕烨
如何在Spring Security 4中通过XML配置仅对特定URL模式禁用CSRF?
Spring安全。xml
<security:http auto-config="true" use-expressions="true" pattern="/ext/**">
<csrf disabled="true" />
</security:http>
<security:http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/auth/**" access="hasAnyRole('ROLE_USER')" />
<security:form-login login-page="/login" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-url="/login" login-processing-url="/j_spring_security_check" />
<security:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
</security:http>
我的代码工作正常,如果我只使用一个安全:http块,但在我添加另一个块后,它抛出错误如下:
错误
Caused by: org.springframework.beans.factory.BeanCreationException: Could not autowire field: private org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter gov.in.controller.filter.LoginAdtAuthFailHdlr.usernamePasswordAuthenticationFilter; nested exception is org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] is defined: expected single matching bean but found 2: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#1
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:561)
at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:88)
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessPropertyValues(AutowiredAnnotationBeanPostProcessor.java:331)
... 58 more
Caused by: org.springframework.beans.factory.NoUniqueBeanDefinitionException: No qualifying bean of type [org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter] is defined: expected single matching bean but found 2: org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0,org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#1
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1054)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:942)
at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:533)
... 60 more
共有2个答案
何涵育
您可以有两个(或更多)过滤器链:
<http pattern="/your-specific/**">
<!-- ... -->
<csrf disabled="true"/>
</http>
<http>
<!-- ... -->
</http>
孔彭祖
仅通过XML更改无法实现。下面是我的工作
Spring-security.xml变化
<security:http use-expressions="true" authentication-manager-ref="authenticationManager">
<security:intercept-url pattern="/auth/**" access="hasAnyRole('ROLE_USER')" />
<security:form-login login-page="/login" authentication-success-handler-ref="loginSuccessHandler" authentication-failure-url="/login" login-processing-url="/j_spring_security_check" />
<security:logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
<security:csrf request-matcher-ref="csrfSecurityRequestMatcher" />
</security:http>
CsrfSecurityRequestMatcher
public class CsrfSecurityRequestMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private RegexRequestMatcher unprotectedMatcher = new RegexRequestMatcher("/ext/**", null);
@Override
public boolean matches(HttpServletRequest request) {
if(allowedMethods.matcher(request.getMethod()).matches()){
return false;
}
return !unprotectedMatcher.matches(request);
}
}
类似资料:
-
我的控制器是 我对Spring完全陌生,请帮帮我怎么做?
-
我使用Spring Boot和Spring Security创建我的web项目。我想禁用特定URL模式的CSRF保护,为Android设备提供API。 使用 如何通过XML配置和 Spring Boot的第一种方法:仅对某些请求选择性地启用CSRF检查 我写了以下配置: 运行此项目时,我会出现以下错误: 上面的日志显示正则表达式在 在索引6/api/**附近有悬挂的元字符“*”。但我不知道这个错误
-
我想禁用默认RabbitMockConfiguration中的兔子健康检查。我们有一个通过导入的配置。不幸的是,该配置并不能阻止将健康检查添加到健康指示器中,因为一旦spring-rabbit位于类路径中,就会发生这种情况。 我们有一个解决办法,即在使用该配置的每个服务中添加一个属性文件,这将禁用属性,但对我们来说,如果能够在配置级别禁用该heathcheck将会好得多。 我考虑了使用进行的测试,
-
Csrf筛选器验证从“验证”提交的Csrf令牌,当我从HTTP向https提交请求时,抛出无效令牌异常(403)。如何在这种情况下禁用csrf令牌身份验证?
-
问题内容: 我正在使用无状态Spring Security,但是如果要注册,我想禁用Spring Security。我禁用了 但它不起作用,我在下面收到错误消息: 我认为这意味着弹簧安全过滤器正在工作 我的网址顺序始终为“ / api / v1” 我的spring配置是 我的身份验证过滤器是 我的控制器是 我怎么做? 问题答案: 使用它意味着每个经过身份验证的用户,但是你禁用了匿名访问,因此将无法
-
我想向Hybris的不同客户群展示产品的不同价格。如何通过弹劾来实现这一点?