Spring Security 4.x 启用CSRF防御后logout只能是POST请求

青旅半醒 2022-07-12 19:38 171阅读 0赞

学习Spring Security时碰到这个问题

官方原文：

18.5.3 Logging Out

Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.

译:添加CSRF将更新LogoutFilter以仅使用HTTP POST。这样可以确保log out 请求需要CSRF令牌并且恶意用户无法伪造你的log out 请求。

One approach is to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.

一种方法是使用表单注销。 如果你真的想要一个链接，你可以使用JavaScript让链接执行POST（也许在一个隐藏的表单）。对于禁用JavaScript的浏览器，您可以选择包含用户到登录确认页面的链接，这将执行POST。

If you really want to use HTTP GET with logout you can do so, but remember this is generally not recommended. For example, the following Java Configuration will perform logout with the URL /logout is requested with any HTTP method:

如果你真的想使用HTTP GET与注销，你可以这样做，但记住这是一般不推荐。 例如，以下Java配置将执行注销，使用任何HTTP方法请求URL /注销：

@EnableWebSecurity
    public class WebSecurityConfig extends
    WebSecurityConfigurerAdapter {
    
    	@Override
    	protected void configure(HttpSecurity http) throws Exception {
    		http
    			.logout()
    				.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    	}
    }