2

我使用了具有不同端口的 spring-boot-actuator,如下所示

server.port=8080
management.port=8989

在应用程序中,我想使用enable-csrf=true,但我不想csrf在执行器端口中使用。因为我想对 jolokia 使用批量 POST 请求。

只排除/actuator并不聪明。

http.csrf().ignoringAntMatchers("/actuator/**");

就像以下属性对我有好处(btmanagement.security.enable-csrf不存在)。

security.enable-csrf=true
management.security.enable-csrf=false

有什么好的解决办法吗?

4

1 回答 1

1

由于您有不同的管理端口,您可以简单地为此禁用 CSRF:

@Configuration
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static RequestMatcher allOf(RequestMatcher... requestMatchers) {
        return new AndRequestMatcher(requestMatchers);
    }

    private static RequestMatcher not(RequestMatcher requestMatcher) {
        return new NegatedRequestMatcher(requestMatcher);
    }

    private final ManagementServerProperties managementServerProperties;

    public MySecurityConfiguration(ManagementServerProperties managementServerProperties) {
        this.managementServerProperties = Objects.requireNonNull(managementServerProperties);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().requireCsrfProtectionMatcher(
                allOf(CsrfFilter.DEFAULT_CSRF_MATCHER, not(accessingManagementPort())));
        // other configuration
    }

    private RequestMatcher accessingManagementPort() {
        return httpServletRequest -> httpServletRequest.getLocalPort() == managementServerProperties.getPort();
    }

}
于 2017-06-13T10:04:36.227 回答