springboot 訪問上傳頁面因csrf出現403的問題

flzhang發表於2017-06-23
Spring Boot


@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private Logger logger = LoggerFactory.getLogger(this.getClass());

    @Autowired
    MemDetailsService memDetailsService;


    @Autowired
    SimpleLoginSuccessHandler simpleLoginSuccessHandler;


    @Override
    //WebSecurity:For example, if you wish to ignore certain requests.
    //用於配置類似防火牆,放行某些URL。
    public void configure(WebSecurity web) throws Exception {
        // 設定不攔截規則
        //web.ignoring().antMatchers("/js/**", "/css/**", "/images/**", "/**/favicon.ico", "/swagger*/**", "/image/**", "/webjars/**","/v2/**");
        web.ignoring().antMatchers("/js/**", "/css/**", "/images/**", "/**/favicon.ico", "/image/**");
    }

    @Override
    //HttpSecurity:一般用它來具體控制許可權,角色,url等安全的東西。
    protected void configure(HttpSecurity http) throws Exception {
        // 設定CSRF規則
        http.csrf().requireCsrfProtectionMatcher(new SimpleCsrfSecurityRequestMatcher()).and().
                // 設定攔截規則
                        authorizeRequests()
                .antMatchers("/api/**", "/index", "/updateIndex.html", "/browserIndex.html", "/policy-zcff.html", "/policy-hydj.html", "/policy-jf.html", "/policy-card.html", "/faq.html", "/cm/satCm01Init", "/cm/satCm01List", "/faq/satFaq01", "/logout", "/loginSso", "/bulterservice.html", "/verifySso").permitAll()
                .antMatchers("/autoconfig/**", "/beans/**", "/configprops/**", "/dump/**", "/env/**", "/health/**", "/info/**", "/metrics/**", "/mappings/**", "/shutdown/**", "/trace/**").access("hasRole('ADMIN')")
                .anyRequest().authenticated()
                .and().formLogin().loginPage("/login").usernameParameter("saID").passwordParameter("password").permitAll().defaultSuccessUrl("/home", true).failureForwardUrl("/index").successHandler(simpleLoginSuccessHandler)
                .and().logout().logoutUrl("/logout").logoutSuccessUrl("/index")
                .and().exceptionHandling().accessDeniedPage("/logout")
                .and().sessionManagement().maximumSessions(1).expiredUrl("/index");
    }

    @Override
    //用於配置Authentication,比如LDAP, Database連線,以及使用者和角色的查詢方法。
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
        daoAuthenticationProvider.setHideUserNotFoundExceptions(false);
        daoAuthenticationProvider.setUserDetailsService(memDetailsService);


        auth.authenticationProvider(daoAuthenticationProvider);
        //auth.userDetailsService(memDetailsService);
        //.passwordEncoder(new BCryptPasswordEncoder())
    }
}

要解決403訪問許可權問題 必須加http.csrf().requireCsrfProtectionMatcher(new SimpleCsrfSecurityRequestMatcher()
要把上傳頁面URL過濾掉才能解決403
SimpleCsrfSecurityRequestMatcher具體實現

public class SimpleCsrfSecurityRequestMatcher implements RequestMatcher {

    private Logger logger = LoggerFactory.getLogger(this.getClass());

    private Pattern allowedMethods = Pattern
            .compile("^(GET|HEAD|TRACE|OPTIONS)$");


    @Override
    public boolean matches(HttpServletRequest request) {
        if (execludeUrls.size() > 0) {
            String servletPath = request.getServletPath();
            for (String url : execludeUrls) {
                if (servletPath.contains(url)) {
                    logger.debug("SimpleCsrfSecurityRequestMatcher排除的url:" + servletPath);
                    return false;
                }
            }
        }
        return !allowedMethods.matcher(request.getMethod()).matches();
    }

    /**
     * 需要排除的url列表
     */
    private final List execludeUrls = new ArrayList() {{
        add("/upload");
        add("/upload/uploadActivateAttachment");
        add("/buy02");
        add("/buy02/uploadActivationSel");

    }};
}

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/750077/viewspace-2141159/,如需轉載,請註明出處,否則將追究法律責任。

相關文章