탐색 도움말
가입하기 로그인
github
/
spring-security
의 미러 https://github.com/spring-projects/spring-security
2
0
포크 0
파일 이슈 0 위키
소스 검색

Disable CSRF by Request Matcher

This introduces an evolution on CsrfConfigurer#ignoreAntMatchers,
allowing users to specify a RequestMatcher in the circumstance where
more than just the path needs to be analyzed to determine whether
CsrfFilter should require a token for the request.

Simply put, a user can now selectively disable csrf by request matcher
in addition to the way it can already be done with ant matchers.

Fixes: gh-5477
Josh Cummings 7 년 전
부모
ed20edd177
커밋
b7ccb63dfd
2개의 변경된 파일158개의 추가작업 그리고 2개의 파일을 삭제
통합 보기 변경상태 보기
  1. 31 2
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
  2. 127 0
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerIgnoringRequestMatchersTests.java

+ 31 - 2
config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java
파일 보기 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
- * Copyright 2002-2013 the original author or authors.
 
+ * Copyright 2002-2018 the original author or authors.
 
  *
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
  * you may not use this file except in compliance with the License.
 
@@ -128,7 +128,7 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 	 * </p>
 
 	 * </p>
 
 	 *
 
 	 *
 
 	 * <p>
 
 	 * <p>
 
-	 * The following will ensure CSRF protection ignores:
 
+	 * For example, the following configuration will ensure CSRF protection ignores:
 
 	 * </p>
 
 	 * </p>
 
 	 * <ul>
 
 	 * <ul>
 
 	 * <li>Any GET, HEAD, TRACE, OPTIONS (this is the default)</li>
 
 	 * <li>Any GET, HEAD, TRACE, OPTIONS (this is the default)</li>
 
@@ -150,6 +150,35 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 
 				.and();
 
 				.and();
 
 	}
 
 	}
 
 
 
+	/**
 
+	 * <p>
 
+	 * Allows specifying {@link HttpServletRequest}s that should not use CSRF Protection
 
+	 * even if they match the {@link #requireCsrfProtectionMatcher(RequestMatcher)}.
 
+	 * </p>
 
+	 *
 
+	 * <p>
 
+	 * For example, the following configuration will ensure CSRF protection ignores:
 
+	 * </p>
 
+	 * <ul>
 
+	 * <li>Any GET, HEAD, TRACE, OPTIONS (this is the default)</li>
 
+	 * <li>We also explicitly state to ignore any request that has a "X-Requested-With: XMLHttpRequest" header</li>
 
+	 * </ul>
 
+	 *
 
+	 * <pre>
 
+	 * http
 
+	 *     .csrf()
 
+	 *         .ignoringRequestMatchers(request -> "XMLHttpRequest".equals(request.getHeader("X-Requested-With")))
 
+	 *         .and()
 
+	 *     ...
 
+	 * </pre>
 
+	 *
 
+	 * @since 5.1
 
+	 */
 
+	public CsrfConfigurer<H> ignoringRequestMatchers(RequestMatcher... requestMatchers) {
 
+		return new IgnoreCsrfProtectionRegistry(this.context).requestMatchers(requestMatchers)
 
+				.and();
 
+	}
 
+
 
 	@SuppressWarnings("unchecked")
 
 	@SuppressWarnings("unchecked")
 
 	@Override
 
 	@Override
 
 	public void configure(H http) throws Exception {
 
 	public void configure(H http) throws Exception {

+ 127 - 0
config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerIgnoringRequestMatchersTests.java
파일 보기 

@@ -0,0 +1,127 @@
 
+/*
 
+ * Copyright 2002-2018 the original author or authors.
 
+ *
 
+ * Licensed under the Apache License, Version 2.0 (the "License");
 
+ * you may not use this file except in compliance with the License.
 
+ * You may obtain a copy of the License at
 
+ *
 
+ *      http://www.apache.org/licenses/LICENSE-2.0
 
+ *
 
+ * Unless required by applicable law or agreed to in writing, software
 
+ * distributed under the License is distributed on an "AS IS" BASIS,
 
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
+ * See the License for the specific language governing permissions and
 
+ * limitations under the License.
 
+ */
 
+
 
+package org.springframework.security.config.annotation.web.configurers;
 
+
 
+import org.junit.Rule;
 
+import org.junit.Test;
 
+
 
+import org.springframework.beans.factory.annotation.Autowired;
 
+import org.springframework.http.HttpMethod;
 
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
+import org.springframework.security.config.test.SpringTestRule;
 
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
+import org.springframework.test.web.servlet.MockMvc;
 
+import org.springframework.web.bind.annotation.RequestMapping;
 
+import org.springframework.web.bind.annotation.RestController;
 
+
 
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+
 
+/**
 
+ * @author Josh Cummings
 
+ */
 
+public class CsrfConfigurerIgnoringRequestMatchersTests {
 
+
 
+	@Autowired
 
+	MockMvc mvc;
 
+
 
+	@Rule
 
+	public final SpringTestRule spring = new SpringTestRule();
 
+
 
+	@Test
 
+	public void requestWhenIgnoringRequestMatchersThenAugmentedByConfiguredRequestMatcher()
 
+			throws Exception {
 
+		this.spring.register(IgnoringRequestMatchers.class, BasicController.class).autowire();
 
+
 
+		this.mvc.perform(get("/path"))
 
+				.andExpect(status().isForbidden());
 
+
 
+		this.mvc.perform(post("/path"))
 
+				.andExpect(status().isOk());
 
+	}
 
+
 
+	@EnableWebSecurity
 
+	static class IgnoringRequestMatchers extends WebSecurityConfigurerAdapter {
 
+		RequestMatcher requestMatcher =
 
+				request -> HttpMethod.POST.name().equals(request.getMethod());
 
+
 
+		@Override
 
+		protected void configure(HttpSecurity http) throws Exception {
 
+			// @formatter:off
 
+			http
 
+				.csrf()
 
+					.requireCsrfProtectionMatcher(new AntPathRequestMatcher("/path"))
 
+					.ignoringRequestMatchers(this.requestMatcher);
 
+			// @formatter:on
 
+		}
 
+	}
 
+
 
+	@Test
 
+	public void requestWhenIgnoringRequestMatcherThenUnionsWithConfiguredIgnoringAntMatchers()
 
+			throws Exception {
 
+
 
+		this.spring.register(IgnoringPathsAndMatchers.class, BasicController.class).autowire();
 
+
 
+		this.mvc.perform(put("/csrf"))
 
+				.andExpect(status().isForbidden());
 
+
 
+		this.mvc.perform(post("/csrf"))
 
+				.andExpect(status().isOk());
 
+
 
+		this.mvc.perform(put("/no-csrf"))
 
+				.andExpect(status().isOk());
 
+	}
 
+
 
+	@EnableWebSecurity
 
+	static class IgnoringPathsAndMatchers extends WebSecurityConfigurerAdapter {
 
+		RequestMatcher requestMatcher =
 
+				request -> HttpMethod.POST.name().equals(request.getMethod());
 
+
 
+		@Override
 
+		protected void configure(HttpSecurity http) throws Exception {
 
+			// @formatter:off
 
+			http
 
+				.csrf()
 
+					.ignoringAntMatchers("/no-csrf")
 
+					.ignoringRequestMatchers(this.requestMatcher);
 
+			// @formatter:on
 
+		}
 
+	}
 
+
 
+	@RestController
 
+	public static class BasicController {
 
+		@RequestMapping("/path")
 
+		public String path() {
 
+			return "path";
 
+		}
 
+
 
+		@RequestMapping("/csrf")
 
+		public String csrf() {
 
+			return "csrf";
 
+		}
 
+
 
+		@RequestMapping("/no-csrf")
 
+		public String noCsrf() {
 
+			return "no-csrf";
 
+		}
 
+	}
 
+}