on
[Spring Boot] spring security - CSRF 적용하기
[Spring Boot] spring security - CSRF 적용하기
/** * Web Security. * CSRF 방어 코드 적용 */ @Slf4j @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { /** * CSRF 검사하지 않을 URL 목록 */ @Value("${test.security.csrf.exclude}") private String[] excludeUrl; @Override protected void configure(HttpSecurity http) throws Exception { http //CSRF 방어코드 .csrf().ignoringRequestMatchers(new CsrfIgnoringRequestMatcher(this.excludeUrl)); } private static class CsrfIgnoringRequestMatcher implements RequestMatcher { //CSRF token 검증 하지 않을 HTTP METHOD private static final String[] ALLOWED_METHODS = new String[] {"GET", "OPTIONS"}; //CSRF token 검증 하지 않을 url private final String[] allowedUrls; public CsrfIgnoringRequestMatcher(String[] allowedUrls) { this.allowedUrls = allowedUrls; } @Override public boolean matches(HttpServletRequest request) { String method = request.getMethod(); for(String allowedMethod : ALLOWED_METHODS) { if (allowedMethod.equalsIgnoreCase(method)) { return true; } } String uri = request.getRequestURI(); uri = uri.replaceAll(request.getContextPath(), ""); for (String allowedUrl : allowedUrls) { if (uri.startsWith(allowedUrl)) { return true; } } return false; } } }
from http://ynzu-dev.tistory.com/18 by ccl(S) rewrite - 2021-12-07 10:01:35