解决方案:
方式一.服务后台配置
1.直接禁用csrf保护。在configure(HttpSecurity http)方法中添加 http.csrf().disable();
2.重写csrf保护策略。
在configure(HttpSecurity http)方法中添加 http.csrf().requireCsrfProtectionMatcher(requestMatcher());
新增处理类
package com.levenx.config.security;
import org.springframework.security.web.util.matcher.RequestMatcher;
import javax.servlet.http.HttpServletRequest;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
/**
* Created by 乐闻 on 2018/9/11.
*/
public class CsrfSecurityRequestMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
@Override
public boolean matches(HttpServletRequest request) {
List<String> unExecludeUrls = new ArrayList<>();
//unExecludeUrls.add("/api/test");//(不允许post请求的url路径)此处根据自己的需求做相应的逻辑处理
if (unExecludeUrls != null && unExecludeUrls.size() > 0) {
String servletPath = request.getServletPath();
request.getParameter("");
for (String url : unExecludeUrls) {
if (servletPath.contains(url)) {
return true;
}
}
}
return allowedMethods.matcher(request.getMethod()).matches();
}
}
或者允许通过:
RequestMatcher requestMatcher = new CsrfSecurityRequestMatcher(); http.csrf().requireCsrfProtectionMatcher(requestMatcher);
其中CsrfSecurityRequestMatcher自己实现RequestMatcher
public class CsrfSecurityRequestMatcher implements RequestMatcher {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
@Override
public boolean matches(HttpServletRequest request) {
List<String> execludeUrls = new ArrayList<>();
execludeUrls.add("sys/getSecCode.do");//允许post请求的url路径,这只是简单测试,具体要怎么设计这个csrf处理,看个人爱好
if (execludeUrls != null && execludeUrls.size() > 0) {
String servletPath = request.getServletPath();
request.getParameter("");
for (String url : execludeUrls) {
if (servletPath.contains(url)) {
return false;
}
}
}
return !allowedMethods.matcher(request.getMethod()).matches();
}
}