您至少有两个选择。
一种是实现自定义
RequestMatcher(
org.springframework.security.web.util.RequestMatcher),该自定义()在Spring
SAML URL上将不匹配,并将其通过以下方式提供给csrf配置:
http.csrf().requireCsrfProtectionMatcher(matcher);
另一个更简单的方法是在单独的http配置中定义Spring SAML端点,该配置不会启用csrf保护。
用于执行此操作的XML配置可以类似于:
<!-- SAML processing endpoints --><security:http pattern="/saml/**" entry-point-ref="samlEntryPoint"> <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/> <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/></security:http><!-- Secured pages with SAML as entry point --><security:http entry-point-ref="samlEntryPoint"> <security:csrf /> <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/> <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/></security:http>
对于Java配置,这样的方法应该起作用:
@Configuration@EnableWebSecuritypublic class MutlipleHttpConfigurationConfig { @Configuration @Order(1) public static class SAMLWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/saml/**"); http.csrf().disable(); http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class).addFilterAfter(samlFilter(), BasicAuthenticationFilter.class); } } @Configuration public static class BasicWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { http.httpBasic().authenticationEntryPoint(samlEntryPoint()); http.addFilterBefore(metadataGeneratorFilter(), ChannelProcessingFilter.class); http .authorizeRequests() .antMatchers("/error").permitAll() .anyRequest() .hasAnyAuthority("MyRole") .anyRequest().authenticated(); http.logout().logoutSuccessUrl("/"); } }}可以在Spring Security手册中找到有关使用Java配置定义多个http配置的详细信息。
