CSRF 禁用在 Spring Security 中不起作用

Question

我目前正在使用 Spring Security 测试 REST API。因为这只是测试，所以我禁用了 CSRF。使用下面的代码，对 /users 的 Postman 获取请求可以完美运行，但来自 Postman 的任何其他类型的请求（例如 post、delete、put）都会返回 403 FORBIDDEN 错误。实在想不通。

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .httpBasic();
    }
}  

Answer 1

您是否有任何 cors 配置设置以允许“GET”以外的方法？

您可以创建一个CorsConfigurationSource bean，它应该允许访问这些类型的请求

@Configuration
public class CorsConfig {

    private static final String[] CORS_ALLOWED_HEADERS = new String[] {
        "*",
    };

    private static final String[] CORS_ALLOWED_METHODS = new String[] {
        "GET",
        "POST",
        "PUT",
        "OPTIONS"
    };

    private static final String CORS_API_PATTERN = "/api/**";

    private static final long CORS_MAX_AGE = 3600;

    @Value("${cors.allowed-origins}")
    private String[] corsAllowedOrigins;

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {

        final CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList(corsAllowedOrigins));
        configuration.setAllowedMethods(Arrays.asList(CORS_ALLOWED_METHODS));
        configuration.setAllowCredentials(true);
        configuration.setMaxAge(CORS_MAX_AGE);
        configuration.setAllowedHeaders(Arrays.asList(CORS_ALLOWED_HEADERS));

        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration(CORS_API_PATTERN, configuration);

        return source;

    }