当我在本地运行应用程序(angular front,spring boot back)时,所有方法都可以工作,包括put和delete。但一旦我在服务器上部署了put和delete,返回403 forbidden,而get和post工作就完美了。
我已经搜索了很多,很多答案指向csrf。我试过用不同的方式配置它,但是找不到问题。请注意,post确实有效,它也会通过我的定制csrf过滤器。
这是我当前的配置:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().sameOrigin().httpStrictTransportSecurity().includeSubDomains(true).maxAgeInSeconds(31536000);
http.cors().and().csrf().disable();
http.httpBasic().and().addFilterAfter(new CustomCsrfFilter(),CsrfFilter.class);
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration ();
configuration.setAllowedOrigins (Arrays.asList ("http://localhost:4200","https://intrauat.web.bc","https://intrait.web.bc","https://intra.web.bc"));
configuration.setAllowedMethods (Arrays.asList ("GET", "POST", "PUT", "DELETE", "OPTIONS"));
configuration.setAllowedHeaders (Arrays.asList ("Content-Type"));
configuration.setAllowCredentials (true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource ();
source.registerCorsConfiguration ("/**", configuration);
return source;
}
}
@Component
public class CustomCsrfFilter extends OncePerRequestFilter {
public static final String CSRF_COOKIE_NAME = "XSRF-TOKEN";
protected static final String RESPONSE_TOKEN_NAME = "X-CSRF-TOKEN";
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
boolean errorFound = false;
String url = request.getRequestURL().toString();
String methodType = request.getMethod();
String origin = request.getHeader("origin");
String referer = request.getHeader("referer");
if(isNotNull(url) && url.contains("/scripts/jquery")){
response.sendError(403, "Access Denied");
}
else{
errorFound = subcrsfProcessing(request, response, errorFound, url, methodType, origin, referer);
}
if(errorFound){
response.sendError(404, " Bad Request for csrf ");
}
else{
filterChain.doFilter(request, response);
}
}
private boolean subcrsfProcessing(HttpServletRequest request, HttpServletResponse response, boolean errorFound,
String url, String methodType, String origin, String referer) {
if(isNotNull(url) && isNotNull(methodType) &&
(methodType.equalsIgnoreCase("POST")|| methodType.equalsIgnoreCase("PATCH")|| methodType.equalsIgnoreCase("DELETE")
|| methodType.equalsIgnoreCase("PUT"))){
if (referer==null && origin == null && url.contains("/api/")) {
errorFound = true;
} else {
String cookieFromAngular = request.getParameter("token");
Cookie cookie = new Cookie(CSRF_COOKIE_NAME, cookieFromAngular);
cookie.setSecure(true);
cookie.setPath("/");
cookie.setHttpOnly(false);
response.addCookie(cookie);
request.getSession().setAttribute(CSRF_COOKIE_NAME, cookieFromAngular);
}
}
return errorFound;
}
private static boolean isNotNull(String str){
return (null != str && !str.isEmpty());
}
}
谢谢您!
暂无答案!
目前还没有任何答案,快来回答吧!