csrf令牌已关联到此客户端

gstyhher  于 2021-07-26  发布在  Java
关注(0)|答案(1)|浏览(438)

我正在使用 spring-boot-starter-security-2.4.2 . 我有点担心
csrf令牌已关联到此客户端
在 Postman 中使用时。
这里我使用的是springcloudgateway,并为此添加了Spring Security 。

POST: localhost:8080/auth/login

body: {
    "username": "user",
    "password": "pass"
}

我也试过卷发:

curl -d "username=user1&password=abcd" -X POST http://localhost:8080/auth/login

下面是我的spring安全配置:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http=http
        .cors()
            .and()
        .csrf().disable();

    http=http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and();

    http=http
        .exceptionHandling()
            .authenticationEntryPoint(jwtAuthenticationEntryPoint)
            .and();

    http
        .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/auth/login/").permitAll()
            .antMatchers(HttpMethod.POST, "/public/user/links").permitAll()
            .anyRequest().authenticated();

    http
        .addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
}
lf3rwulv

lf3rwulv1#

这个问题是经过大量试验后解决的

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private SecurityContextRepository securityContextRepository;

    @Autowired
    private JwtWebFilter jwtWebFilter;

    @Bean
    public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {
        return http
            .exceptionHandling()
            .authenticationEntryPoint((swe, e) -> {
                return Mono.fromRunnable(() -> {
                    swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
                });
            }).accessDeniedHandler((swe, e) -> {
                return Mono.fromRunnable(() -> {
                    swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
                });
            }).and()
            .csrf().disable()

            .authenticationManager(authenticationManager)
            .securityContextRepository(securityContextRepository)
            .authorizeExchange()
            .pathMatchers("/auth/login").permitAll()
            .anyExchange().authenticated()
            .and().addFilterAfter(jwtWebFilter, SecurityWebFiltersOrder.FIRST)
            .build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

它与网关服务m工作良好,但与下游服务无关。筛选器未调用其他eureka客户端。有人能帮忙吗?

相关问题