CsrfConfiguration.java
package cn.home1.oss.lib.security.starter;
import cn.home1.oss.lib.security.CsrfHeaderFilter;
import lombok.SneakyThrows;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
/**
* Created by zhanghaolun on 16/8/19.
*/
@Order(CsrfConfiguration.ORDER_CSRF)
@Configuration
public class CsrfConfiguration extends SecurityConfigurerAdapter<CsrfConfiguration> {
public static final int ORDER_CSRF = VerifyCodeConfiguration.ORDER_VERIFY_CODE + 1;
@Autowired(required = false)
private SecurityProperties securityProperties;
@SneakyThrows
@Override
public void configure(final HttpSecurity http) {
// TODO CSRF的 cookie, header, 各种前端全支持
// RESOURCE 应用不开启CSRF
if (this.securityProperties != null && this.securityProperties.isEnableCsrf()) {
http.csrf() //
.csrfTokenRepository(this.csrfTokenRepository()) //
.and() //
.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class); //
} else {
http.csrf() //
.disable();
}
if (this.securityProperties != null && this.securityProperties.getHeaders().isXss()) {
http.headers().xssProtection().xssProtectionEnabled(true);
} else {
http.headers().xssProtection().disable();
}
}
private CsrfTokenRepository csrfTokenRepository() {
// TODO test cookie token repository not session
// cookie csrf token is less secure than http session csrf token, but it is stateless.
// http only prevent javascript access the cookie, it is more secure.
//final HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
final CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository(); // since 4.1.0
repository.setCookieHttpOnly(true);
repository.setHeaderName("X-XSRF-TOKEN");
repository.setParameterName("_csrf");
return repository;
}
}