2

我有一个 spring boot 应用程序,我用 spring security 保护了它。现在我想保护它免受 CSRF 漏洞的影响,所以我将这一行添加到我的 spring 安全配置中:

http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())

对于客户端,我使用的是 angularJS 1.6。我将这两行添加到我的 app.js 文件中:

$httpProvider.defaults.xsrfCookieName = 'XSRF-TOKEN';
$httpProvider.defaults.xsrfHeaderName = 'X-XSRF-TOKEN';

现在,当我尝试执行某些请求时,我得到了未经授权的状态,
我认为我遗漏了一些东西,有人可以帮助我吗?

---- 更多细节:这是我的 spring 安全配置:

@Override
protected void configure(HttpSecurity http) throws Exception {

    System.out.println("Setting up Security configuration");

    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()).and()/*.disable()*/
            .addFilterBefore(new AlreadyConnectedFilter(),UsernamePasswordAuthenticationFilter.class)
            .authenticationProvider(authProvider)
            .exceptionHandling()
            .authenticationEntryPoint(authenticationEntryPoint)
            .and()
            .formLogin()
            .permitAll()
            .loginProcessingUrl("/login")
            .usernameParameter("username")
            .passwordParameter("password")
            .successHandler(authSuccessHandler)
            .failureHandler(authFailureHandler)
            .and()
            .logout()
            .permitAll()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "DELETE"))
            .logoutSuccessHandler(logoutSuccessHandler)
            .and()
            .sessionManagement()
            .maximumSessions(-1)
            .expiredSessionStrategy(new CustomSessionInformationExpiredStrategy())
            .sessionRegistry(sessionRegistry());

    http.httpBasic().and().authorizeRequests()
            .anyRequest().permitAll();

    http.exceptionHandling()
            .accessDeniedHandler((request, response, accessDeniedException) -> {
                response.setContentType("application/json");
                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                Map<String, Object> contentToSend = new HashMap<>();
                contentToSend.put("message", accessDeniedException.getMessage());
                contentToSend.put("errors",new ArrayList<>());
                contentToSend.put("status",response.getStatus());
                PrintWriter writer = response.getWriter();
                writer.write(new ObjectMapper().writeValueAsString(contentToSend));
                writer.flush();
            })
            .authenticationEntryPoint((request, response, authException) -> {
                response.setContentType("application/json");
                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                Map<String, Object> contentToSend = new HashMap<>();
                contentToSend.put("message", authException.getMessage());
                contentToSend.put("errors", new ArrayList<>());
                contentToSend.put("status", response.getStatus());
                PrintWriter writer = response.getWriter();
                writer.write(new ObjectMapper().writeValueAsString(contentToSend));
                writer.flush();
            });
}
4

0 回答 0