java如何检查CSRF安全性是否处于活动状态?
在我的SpringBoot项目中,我试图实现CSFR安全性。 特别是,该项目只通过RestTemplate调用端点((RESTAPI GET和POST)
//CONTROLLER
@GetMapping("/RT_Get1")
public void getWithRestTemplateGet1() throws Exception{
try {
fourStoreService.getWithRestTemplateGet1();
} catch (final Exception e) {
this.errorLog(methodName, e);
throw e;
}
}
//SERVICE
@ResponseBody
public void getWithRestTemplateGet1() {
try {
String url = protocol + ip + root + gets.get(0);
HttpHeaders headers = new HttpHeaders();
headers.setBasicAuth(username, password);
HttpEntity request = new HttpEntity(headers);
try {
if (url.startsWith("https")) {
restTemplate = getRestTemplateForSelfSsl();
} else {
restTemplate = new RestTemplate();
}
ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.GET, request, String.class);
HttpStatus statusCode = response.getStatusCode();
logger.info("STATUS GET1: " + statusCode);
} catch (HttpStatusCodeException e) {
logger.error(e.getMessage());
}
} catch (Exception e) {
logger.error(e.getMessage());
}
}
我实现了如下CSRF配置类:
public class CSRFSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Value("${security.enable-csrf}")
private boolean csrfEnabled;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("user").password("{noop}password").roles("USER");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/**").hasAnyRole("USER").and().formLogin().loginPage("/login")
.permitAll();
if (csrfEnabled) {
http.csrf().disable();
}
}
激活和停用变量在应用程序中设置。yml
security:
enable:
csrf: false
但我怎么知道CSFR安全是否有效。。。当我使用Rest模板打电话时,可以添加什么类型的日志? 请帮帮我
共 (0) 个答案