1.1.SpringSecurity配置,public class SecurityConfig extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception {
//code...
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
2.vue组件axios,config.js,默认支持也可以不配置
axios.defaults.withCredentials = true // 设置cross跨域,并设置访问权限,允许跨域
axios.defaults.crossDomain = true
axios.defaults.headers.post['Content-Type'] = 'application/json;charset=utf-8' // 设置post请求头
axios.defaults.headers.put['Content-Type'] = 'application/json;charset=utf-8' // 设置post请求头
axios.defaults.timeout = 60000 // 请求超时响应
axios.defaults.responseType = 'json' // 请求超时响应
axios.defaults.xsrfCookieName = 'XSRF-TOKEN'
axios.defaults.xsrfHeaderName = 'X-XSRF-TOKEN'
3.小程序请求框架为uni-app,由于不带cookie,可以配置CSRF小程序路径放开,小程序接口统一放在/miniapi路径下,对小程序统一鉴权有兴趣的我可以再写一篇
4.csrf按请求路径URL过滤,AntPathRequestMatcher实现/miniapi路径下请求不进行拦截
@Override
protected void configure(HttpSecurity http) throws Exception {
//code...
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
http.csrf().requireCsrfProtectionMatcher(new CsrfSecurityRequestMatcher());
}
public class CsrfSecurityRequestMatcher implements RequestMatcher{
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private AntPathRequestMatcher antPathRequestMatcher=new AntPathRequestMatcher("/miniapi/**");
@Override
public boolean matches(HttpServletRequest request) {
if(allowedMethods.matcher(request.getMethod()).matches()){
return false;
}
boolean b = !antPathRequestMatcher.matches(request);
return b;
}
}
5.多环境支持
跨域只是为了保证生产环境安全,开发环境为了方便swagger使用和自动化测试,可以配置不开启
csrf: false
@Value("${csrf}")
private Boolean csrf;
// 启用CSRF
if(csrf){
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
http.csrf().requireCsrfProtectionMatcher(new CsrfSecurityRequestMatcher());
}else {
http.csrf().disable();
}