英文:
How to make Spring Security allow anonymous POST requests?
问题
我有一个Spring Boot网络应用程序,其中大多数端点都需要身份验证。然而,少数映射将允许匿名访问;它们是通用规则的例外。
我无法使这对于POST调用起作用,它们总是得到403错误。
安全配置...
```java
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().regexMatchers("/","/posthello").anonymous()
.and()
.authorizeRequests().anyRequest().authenticated();
}
}
控制器...
@RestController
public class HelloController {
// 这在匿名调用时返回HTTP 200和正文
@GetMapping("/")
public String helloWorld() {
return "Hello World!";
}
// 正如预期的那样,这需要身份验证
@GetMapping("/gethello")
public String getHelloWorld(String body) {
return "You got: Hello, World!";
}
// 即使它被期望为例外情况,这总是在匿名调用时返回HTTP 403
@PostMapping("/posthello")
public String postHelloWorld(@RequestBody String body) {
return "You posted: " + body;
}
}
<details>
<summary>英文:</summary>
I have a Spring Boot web application, where most endpoints require authentication. However, a few mappings shall allow anonymous access; they are exceptions from the general rule.
I cannot get this to work for POST calls, they are always getting 403.
The security configuration...
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().regexMatchers("/", "/posthello").anonymous()
.and()
.authorizeRequests().anyRequest().authenticated();
}
}
The controller...
@RestController
public class HelloController {
// This returns HTTP 200 and body on anonymous calls
@GetMapping("/")
public String helloWorld() {
return "Hello World!";
}
// This demands authentication, as expected
@GetMapping("/gethello")
public String getHelloWorld(String body) {
return "You got: Hello, World!";
}
// This always returns HTTP 403 on anonymous calls,
// even though it is supposed to be excepted
@PostMapping("/posthello")
public String postHelloWorld(@RequestBody String body) {
return "You posted: " + body;
}
}
</details>
# 答案1
**得分**: 5
Patel Romil正确指出403错误是由CSRF引起的,禁用CSRF将禁用该保护。他明智地提醒不要在生产应用程序中这样做。
禁用整个站点的CSRF的替代方法是指定允许的端点列表,如下所示:
```java
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.ignoringAntMatchers("/posthello")
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/posthello").anonymous()
.anyRequest().authenticated();
}
}
尽管如此,真正的解决方案可能是配置应用程序以使用CSRF令牌。没有CSRF保护,任意第三方Web应用程序可以调用POST /posthello
。
英文:
Patel Romil is correct that the 403 is caused by CSRF and that disabling CSRF would disable that protection. He's also wise to warn against doing that in a production application.
An alternative to disabling CSRF for the entire site is specifying an allowlist of endpoints, like so:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.ignoringAntMatchers("/posthello")
.and()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/posthello").anonymous()
.anyRequest().authenticated();
}
}
That said, the real solution is likely to configure the application to use CSRF tokens. Without CSRF protection, arbitrary third-party web applications can invoke POST /posthello
.
答案2
得分: 2
您可以像这样提及不需要身份验证的端点。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/", "/error", "/user/signup", "/user/signin", "/swagger-ui.html")
.permitAll().anyRequest().authenticated().and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
英文:
You can mention the endpoints like this, for which authenication is not required.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/", "/error", "/user/signup", "/user/signin", "/swagger-ui.html")
.permitAll().anyRequest().authenticated().and().sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
答案3
得分: 1
禁止访问错误可能是由于 CSRF 引起的。您可以尝试在 configure
方法中禁用 CSRF,如下所示。
http
.csrf().disable()
// 其他配置
或者,您可以在发送 POST 请求的表单中添加以下隐藏字段。 (这适用于 Thymeleaf。您可以根据您的视图进行调整)
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
英文:
Forbidden errors might occur due to csrf. You can try disabling the csrf in your configure
method as below.
http
.csrf().disable()
// remaining configurations
Alternatively, you can add the following hidden field in your form which is sending the POST request. (It is for thymeleaf. You can get this as per your view)
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
答案4
得分: 1
你需要使用csrf().disable()
来禁用CSRF令牌。我建议您在生产环境中使用CSRF令牌。除此之外,您可以通过在antMatchers中使用HttpMethod.method来允许特定方法的anonymous()
访问。
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/posthello").anonymous()
.anyRequest().authenticated();
}
}
或者
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/posthello").anonymous()
.antMatchers("**/**").authenticated();
}
}
为了在生产环境中启用CSRF,我在这里添加了更多细节:
回答1,回答2
英文:
You have to disable the CSRF Tokens using csrf().disable()
. I recommended you to use the CSRF Tokens in production. Along with that, you may allow the anonymous()
access for the specific methods by using the HttpMethod.method in antMatchers
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/posthello").anonymous()
.anyRequest().authenticated();
}
}
OR
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/posthello").anonymous()
.antMatchers("**/**").authenticated();
}
}
To enable the CSRF in production I have added the more details here
Answer 1, Answer 2
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论