ajax option请求后无post请求_Spring Security 4.x+ 启用CSRF防御后logout只能是POST请求

最新推荐文章于 2023-07-13 12:21:35 发布

weixin_42097189

最新推荐文章于 2023-07-13 12:21:35 发布

阅读量92

点赞数

文章标签： ajax option请求后无post请求

本文链接：https://blog.csdn.net/weixin_42097189/article/details/112090727

版权

官方文档地址：

Spring Security Referencedocs.spring.io

Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.

（译:添加CSRF将更新LogoutFilter以仅使用HTTP POST。这样可以确保log out 请求需要CSRF令牌并且恶意用户无法伪造你的log out 请求。）

One approach is to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.

（译：一种方法是使用表单注销。如果你真的想要一个链接，你可以使用JavaScript让链接执行POST（也许在一个隐藏的表单）。对于禁用JavaScript的浏览器，您可以选择包含用户到登录确认页面的链接，这将执行POST。）

If you really want to use HTTP GET with logout you can do so, but remember this is generally not recommended. For example, the following Java Configuration will perform logout with the URL /logout is requested with any HTTP method:

（译：如果你真的想使用HTTP GET与注销，你可以这样做，但记住这是一般不推荐。例如，以下Java配置将执行注销，使用任何HTTP方法请求URL /注销：）

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .logout(logout ->
                logout
                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            );
    }
}